---
# System prepended metadata

title: Identity-Based Policy for ECR
tags: [iam, aws, ecr]

---

# Identity-Based Policy for ECR

[TOC]

###### tags: `aws` `iam` `ecr`

---

## Accessing Amazon ECR Repositories

Granting an IAM user in AWS account access to all of your Amazon ECR repositories, allowing the user to push, pull, and list images.

```json
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "ListImagesInRepository",
			"Effect": "Allow",
			"Action": [
				"ecr:ListImages"
			],
			"Resource": "arn:aws:ecr:{REGION}:{ACCOUNT_ID}:repository/{REPOSITORY}"
		},
		{
			"Sid": "GetAuthorizationToken",
			"Effect": "Allow",
			"Action": [
				"ecr:GetAuthorizationToken"
			],
			"Resource": "*"
		},
		{
			"Sid": "ManageRepositoryContents",
			"Effect": "Allow",
			"Action": [
				"ecr:BatchCheckLayerAvailability",
				"ecr:GetDownloadUrlForLayer",
				"ecr:GetRepositoryPolicy",
				"ecr:DescribeRepositories",
				"ecr:ListImages",
				"ecr:DescribeImages",
				"ecr:BatchGetImage",
				"ecr:InitiateLayerUpload",
				"ecr:UploadLayerPart",
				"ecr:CompleteLayerUpload",
				"ecr:PutImage"
			],
			"Resource": "arn:aws:ecr:{REGION}:{ACCOUNT_ID}:repository/{REPOSITORY}"
		}
	]
}
```

### `{REGION}`

| Region           | Region Name               |
| ---------------- | ------------------------- |
| `us-east-2`      | US East (Ohio)            |
| `us-east-1`      | US East (N. Virginia)     |
| `us-west-1`      | US West (N. California)   |
| `us-west-2`      | US West (Oregon)          |
| `af-south-1`     | Africa (Cape Town)        |
| `ap-east-1`      | Asia Pacific (Hong Kong)  |
| `ap-southeast-3` | Asia Pacific (Jakarta)    |
| `ap-south-1`     | Asia Pacific (Mumbai)     |
| `ap-northeast-3` | Asia Pacific (Osaka)      |
| `ap-northeast-2` | Asia Pacific (Seoul)      |
| `ap-southeast-1` | Asia Pacific (Singapore)  |
| `ap-southeast-2` | Asia Pacific (Sydney)     |
| `ap-northeast-1` | Asia Pacific (Tokyo)      |
| `ca-central-1`   | Canada (Central)          |
| `eu-central-1`   | Europe (Frankfurt)        |
| `eu-west-1`      | Europe (Ireland)          |
| `eu-west-2`      | Europe (London)           |
| `eu-south-1`     | Europe (Milan)            |
| `eu-west-3`      | Europe (Paris)            |
| `eu-north-1`     | Europe (Stockholm)        |
| `me-south-1`     | Middle East (Bahrain)     |
| `sa-east-1`      | South America (São Paulo) |
| `us-gov-east-1`  | AWS GovCloud (US-East)    |
| `us-gov-west-1`  | AWS GovCloud (US-West)    |

## Reference

- [Amazon Elastic Container Registry Identity-Based Policy Examples](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.html)