Skip to content

Commit ce7bdea

Browse files
kaizencckaizencc
authored
feat(ecr): grantRead on repositories (#25445)
Adds a grantRead method with `ecr:DescribeRepositories` and `ecr:DescribeImages` permissions. The use case is for something like cdk-assets, which tries to look up the repository / image name as part of the publishing step (so it doesn't publish a duplicate). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 75212eb commit ce7bdea

File tree

10 files changed

+228
-33
lines changed

10 files changed

+228
-33
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/aws-ecr-integ-stack.assets.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
2-
"version": "30.1.0",
2+
"version": "31.0.0",
33
"files": {
4-
"26df443ecb3d9a917feccf0349d0f8852c227c138904499fe5e26de6a090654c": {
4+
"a047e78171779d23d25e3fc35f2b3ce7ff7313e616a588b6f8773b9360f12b26": {
55
"source": {
66
"path": "aws-ecr-integ-stack.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "26df443ecb3d9a917feccf0349d0f8852c227c138904499fe5e26de6a090654c.json",
12+
"objectKey": "a047e78171779d23d25e3fc35f2b3ce7ff7313e616a588b6f8773b9360f12b26.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/aws-ecr-integ-stack.template.json

+54-10
Original file line numberDiff line numberDiff line change
@@ -7,20 +7,64 @@
77
"LifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":5},\"action\":{\"type\":\"expire\"}}]}"
88
},
99
"RepositoryPolicyText": {
10-
"Statement": [
11-
{
12-
"Action": "ecr:GetDownloadUrlForLayer",
13-
"Effect": "Allow",
14-
"Principal": {
15-
"AWS": "*"
16-
}
10+
"Statement": [
11+
{
12+
"Action": "ecr:GetDownloadUrlForLayer",
13+
"Effect": "Allow",
14+
"Principal": {
15+
"AWS": "*"
1716
}
18-
],
19-
"Version": "2012-10-17"
20-
}
17+
}
18+
],
19+
"Version": "2012-10-17"
20+
}
2121
},
2222
"UpdateReplacePolicy": "Retain",
2323
"DeletionPolicy": "Retain"
24+
},
25+
"MyUserDC45028B": {
26+
"Type": "AWS::IAM::User"
27+
},
28+
"MyUserDefaultPolicy7B897426": {
29+
"Type": "AWS::IAM::Policy",
30+
"Properties": {
31+
"PolicyDocument": {
32+
"Statement": [
33+
{
34+
"Action": [
35+
"ecr:BatchCheckLayerAvailability",
36+
"ecr:BatchGetImage",
37+
"ecr:CompleteLayerUpload",
38+
"ecr:DescribeImages",
39+
"ecr:DescribeRepositories",
40+
"ecr:GetDownloadUrlForLayer",
41+
"ecr:InitiateLayerUpload",
42+
"ecr:PutImage",
43+
"ecr:UploadLayerPart"
44+
],
45+
"Effect": "Allow",
46+
"Resource": {
47+
"Fn::GetAtt": [
48+
"Repo02AC86CF",
49+
"Arn"
50+
]
51+
}
52+
},
53+
{
54+
"Action": "ecr:GetAuthorizationToken",
55+
"Effect": "Allow",
56+
"Resource": "*"
57+
}
58+
],
59+
"Version": "2012-10-17"
60+
},
61+
"PolicyName": "MyUserDefaultPolicy7B897426",
62+
"Users": [
63+
{
64+
"Ref": "MyUserDC45028B"
65+
}
66+
]
67+
}
2468
}
2569
},
2670
"Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/cdk.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"version":"30.1.0"}
1+
{"version":"31.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/cdkecrintegtestbasicDefaultTestDeployAssert4F7FBFB4.assets.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "30.1.0",
2+
"version": "31.0.0",
33
"files": {
44
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
55
"source": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/integ.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "30.1.0",
2+
"version": "31.0.0",
33
"testCases": {
44
"cdk-ecr-integ-test-basic/DefaultTest": {
55
"stacks": [

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/manifest.json

+14-2
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "30.1.0",
2+
"version": "31.0.0",
33
"artifacts": {
44
"aws-ecr-integ-stack.assets": {
55
"type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
1717
"validateOnSynth": false,
1818
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
1919
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/26df443ecb3d9a917feccf0349d0f8852c227c138904499fe5e26de6a090654c.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a047e78171779d23d25e3fc35f2b3ce7ff7313e616a588b6f8773b9360f12b26.json",
2121
"requiresBootstrapStackVersion": 6,
2222
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2323
"additionalDependencies": [
@@ -39,6 +39,18 @@
3939
"data": "Repo02AC86CF"
4040
}
4141
],
42+
"/aws-ecr-integ-stack/MyUser/Resource": [
43+
{
44+
"type": "aws:cdk:logicalId",
45+
"data": "MyUserDC45028B"
46+
}
47+
],
48+
"/aws-ecr-integ-stack/MyUser/DefaultPolicy/Resource": [
49+
{
50+
"type": "aws:cdk:logicalId",
51+
"data": "MyUserDefaultPolicy7B897426"
52+
}
53+
],
4254
"/aws-ecr-integ-stack/RepositoryURI": [
4355
{
4456
"type": "aws:cdk:logicalId",

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.js.snapshot/tree.json

+107-14
Original file line numberDiff line numberDiff line change
@@ -20,47 +20,140 @@
2020
"aws:cdk:cloudformation:props": {
2121
"lifecyclePolicy": {
2222
"lifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":5},\"action\":{\"type\":\"expire\"}}]}"
23+
},
24+
"repositoryPolicyText": {
25+
"Statement": [
26+
{
27+
"Action": "ecr:GetDownloadUrlForLayer",
28+
"Effect": "Allow",
29+
"Principal": {
30+
"AWS": "*"
31+
}
32+
}
33+
],
34+
"Version": "2012-10-17"
2335
}
2436
}
2537
},
2638
"constructInfo": {
27-
"fqn": "@aws-cdk/aws-ecr.CfnRepository",
39+
"fqn": "aws-cdk-lib.aws_ecr.CfnRepository",
2840
"version": "0.0.0"
2941
}
3042
}
3143
},
3244
"constructInfo": {
33-
"fqn": "@aws-cdk/aws-ecr.Repository",
45+
"fqn": "aws-cdk-lib.aws_ecr.Repository",
46+
"version": "0.0.0"
47+
}
48+
},
49+
"MyUser": {
50+
"id": "MyUser",
51+
"path": "aws-ecr-integ-stack/MyUser",
52+
"children": {
53+
"Resource": {
54+
"id": "Resource",
55+
"path": "aws-ecr-integ-stack/MyUser/Resource",
56+
"attributes": {
57+
"aws:cdk:cloudformation:type": "AWS::IAM::User",
58+
"aws:cdk:cloudformation:props": {}
59+
},
60+
"constructInfo": {
61+
"fqn": "aws-cdk-lib.aws_iam.CfnUser",
62+
"version": "0.0.0"
63+
}
64+
},
65+
"DefaultPolicy": {
66+
"id": "DefaultPolicy",
67+
"path": "aws-ecr-integ-stack/MyUser/DefaultPolicy",
68+
"children": {
69+
"Resource": {
70+
"id": "Resource",
71+
"path": "aws-ecr-integ-stack/MyUser/DefaultPolicy/Resource",
72+
"attributes": {
73+
"aws:cdk:cloudformation:type": "AWS::IAM::Policy",
74+
"aws:cdk:cloudformation:props": {
75+
"policyDocument": {
76+
"Statement": [
77+
{
78+
"Action": [
79+
"ecr:BatchCheckLayerAvailability",
80+
"ecr:BatchGetImage",
81+
"ecr:CompleteLayerUpload",
82+
"ecr:DescribeImages",
83+
"ecr:DescribeRepositories",
84+
"ecr:GetDownloadUrlForLayer",
85+
"ecr:InitiateLayerUpload",
86+
"ecr:PutImage",
87+
"ecr:UploadLayerPart"
88+
],
89+
"Effect": "Allow",
90+
"Resource": {
91+
"Fn::GetAtt": [
92+
"Repo02AC86CF",
93+
"Arn"
94+
]
95+
}
96+
},
97+
{
98+
"Action": "ecr:GetAuthorizationToken",
99+
"Effect": "Allow",
100+
"Resource": "*"
101+
}
102+
],
103+
"Version": "2012-10-17"
104+
},
105+
"policyName": "MyUserDefaultPolicy7B897426",
106+
"users": [
107+
{
108+
"Ref": "MyUserDC45028B"
109+
}
110+
]
111+
}
112+
},
113+
"constructInfo": {
114+
"fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
115+
"version": "0.0.0"
116+
}
117+
}
118+
},
119+
"constructInfo": {
120+
"fqn": "aws-cdk-lib.aws_iam.Policy",
121+
"version": "0.0.0"
122+
}
123+
}
124+
},
125+
"constructInfo": {
126+
"fqn": "aws-cdk-lib.aws_iam.User",
34127
"version": "0.0.0"
35128
}
36129
},
37130
"RepositoryURI": {
38131
"id": "RepositoryURI",
39132
"path": "aws-ecr-integ-stack/RepositoryURI",
40133
"constructInfo": {
41-
"fqn": "@aws-cdk/core.CfnOutput",
134+
"fqn": "aws-cdk-lib.CfnOutput",
42135
"version": "0.0.0"
43136
}
44137
},
45138
"BootstrapVersion": {
46139
"id": "BootstrapVersion",
47140
"path": "aws-ecr-integ-stack/BootstrapVersion",
48141
"constructInfo": {
49-
"fqn": "@aws-cdk/core.CfnParameter",
142+
"fqn": "aws-cdk-lib.CfnParameter",
50143
"version": "0.0.0"
51144
}
52145
},
53146
"CheckBootstrapVersion": {
54147
"id": "CheckBootstrapVersion",
55148
"path": "aws-ecr-integ-stack/CheckBootstrapVersion",
56149
"constructInfo": {
57-
"fqn": "@aws-cdk/core.CfnRule",
150+
"fqn": "aws-cdk-lib.CfnRule",
58151
"version": "0.0.0"
59152
}
60153
}
61154
},
62155
"constructInfo": {
63-
"fqn": "@aws-cdk/core.Stack",
156+
"fqn": "aws-cdk-lib.Stack",
64157
"version": "0.0.0"
65158
}
66159
},
@@ -77,7 +170,7 @@
77170
"path": "cdk-ecr-integ-test-basic/DefaultTest/Default",
78171
"constructInfo": {
79172
"fqn": "constructs.Construct",
80-
"version": "10.1.252"
173+
"version": "10.1.270"
81174
}
82175
},
83176
"DeployAssert": {
@@ -88,33 +181,33 @@
88181
"id": "BootstrapVersion",
89182
"path": "cdk-ecr-integ-test-basic/DefaultTest/DeployAssert/BootstrapVersion",
90183
"constructInfo": {
91-
"fqn": "@aws-cdk/core.CfnParameter",
184+
"fqn": "aws-cdk-lib.CfnParameter",
92185
"version": "0.0.0"
93186
}
94187
},
95188
"CheckBootstrapVersion": {
96189
"id": "CheckBootstrapVersion",
97190
"path": "cdk-ecr-integ-test-basic/DefaultTest/DeployAssert/CheckBootstrapVersion",
98191
"constructInfo": {
99-
"fqn": "@aws-cdk/core.CfnRule",
192+
"fqn": "aws-cdk-lib.CfnRule",
100193
"version": "0.0.0"
101194
}
102195
}
103196
},
104197
"constructInfo": {
105-
"fqn": "@aws-cdk/core.Stack",
198+
"fqn": "aws-cdk-lib.Stack",
106199
"version": "0.0.0"
107200
}
108201
}
109202
},
110203
"constructInfo": {
111-
"fqn": "@aws-cdk/integ-tests.IntegTestCase",
204+
"fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase",
112205
"version": "0.0.0"
113206
}
114207
}
115208
},
116209
"constructInfo": {
117-
"fqn": "@aws-cdk/integ-tests.IntegTest",
210+
"fqn": "@aws-cdk/integ-tests-alpha.IntegTest",
118211
"version": "0.0.0"
119212
}
120213
},
@@ -123,12 +216,12 @@
123216
"path": "Tree",
124217
"constructInfo": {
125218
"fqn": "constructs.Construct",
126-
"version": "10.1.252"
219+
"version": "10.1.270"
127220
}
128221
}
129222
},
130223
"constructInfo": {
131-
"fqn": "@aws-cdk/core.App",
224+
"fqn": "aws-cdk-lib.App",
132225
"version": "0.0.0"
133226
}
134227
}

packages/@aws-cdk-testing/framework-integ/test/aws-ecr/test/integ.basic.ts

+4
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,10 @@ repo.addToResourcePolicy(new iam.PolicyStatement({
1313
principals: [new iam.AnyPrincipal()],
1414
}));
1515

16+
const user = new iam.User(stack, 'MyUser');
17+
repo.grantRead(user);
18+
repo.grantPullPush(user);
19+
1620
new cdk.CfnOutput(stack, 'RepositoryURI', {
1721
value: repo.repositoryUri,
1822
});

0 commit comments

Comments
 (0)