v2beta1: `oci_push` to AWS ECR needs `ecr:BatchGetImage` permission - Githubissues

bazel-contrib / rules_oci

Bazel rules for building OCI containers

Apache License 2.0

269 stars 142 forks source link

v2beta1: `oci_push` to AWS ECR needs `ecr:BatchGetImage` permission #648

Closed hanneskaeufler closed 3 weeks ago

hanneskaeufler commented 1 month ago

Using oci_push like so:

oci_push(
  name = "push",
  image = ":image",
  remote_tags = ["latest"],
  repository = "undefined",
)

and running on CI

bazel run //redacted:push  -- --repository XXX.dkr.ecr.XXX.amazonaws.com/XXX --tag mytag

yields

User: arn:aws:iam::XXX:user/XXX-ecr-push is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:XXX:XXX:repository/XXX because no identity-based policy allows the ecr:BatchGetImage action

This was not needed with rules_docker. Is that a bug or expected? Obviously I'd like my permissions to be as tight as can be.

thesayyn commented 1 month ago

We use crane in oci_push rule which might explain better why this permission is needed. My instinct says that this permission is justified as oci_push is idempotent therefore needs to do some probing to determine if the image exists.

thesayyn commented 3 weeks ago

Going to close as there is nothing for us to fix here.