AWS::ECR::RegistryPolicy - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

This is the new CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::ECR::RegistryPolicy

The AWS::ECR::RegistryPolicy resource creates or updates the permissions policy for a private registry.

A private registry policy is used to specify permissions for another AWS account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.

Syntax

To declare this entity in your CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::ECR::RegistryPolicy",
  "Properties" : {
      "PolicyText" : Json
    }
}

YAML

Type: AWS::ECR::RegistryPolicy
Properties:
  PolicyText: Json

Properties

PolicyText

The JSON policy text for your registry.

Required: Yes

Type: Json

Update requires: No interruption

Return values

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

RegistryId

The account ID of the private registry the policy is associated with.

Examples

Specify a registry policy for a private registry

The following example specifies a private registry policy in us-west-2 that grants permission for account 210987654321 to create repositories and replicate their contents to your private registry.

JSON

"TestRegistryPolicy": {
   "Type": "AWS::ECR::RegistryPolicy",
   "Properties": {
      "PolicyText": {
         "Version":"2012-10-17",
         "Statement":[
            {
               "Sid":"ReplicationAccessCrossAccount",
               "Effect":"Allow",
               "Principal":{
                  "AWS":"arn:aws:iam::210987654321:root"
               },
               "Action":[
                  "ecr:CreateRepository",
                  "ecr:ReplicateImage"
               ],
               "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*"
             }
          ]
       }
    }
}

YAML

Resources:
  TestRegistryPolicy:
    Type: 'AWS::ECR::RegistryPolicy'
    Properties:
      PolicyText:
        Version: 2012-10-17
        Statement:
          - Sid: UpdatedRegistryPolicy
            Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::210987654321:root'
            Action:
              - 'ecr:CreateRepository'
              - 'ecr:ReplicateImage'
            Resource: 'arn:aws:ecr:us-west-2:123456789012:repository/*'