search

cloudposse / terraform-aws-ecr

Terraform Module to manage Docker Container Registries on AWS ECR
https://cloudposse.com/accelerate
Apache License 2.0
185 stars 133 forks source link

Reduce permission to functions only #96

Open ngoyal16 opened 2 years ago

ngoyal16 commented 2 years ago

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

Currently CrossAccountPermission permission also being added to the ECR policy when principle_lambda variable is added. which will allow members form other account to use image apart from lambda also. and it is also working without adding that CrossAccountPermission as well

Expected Behavior

  1. should not allow permission other then lambda functions
  2. Write only permission feature should be there which will allow user to write image only to the ecr repo. not other features. 
{
      "Sid": "WriteOnlyAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "priniciple_arn"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:InitiateLayerUpload",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ]
    }