Set up new private perms

PRX · Sep 13, 2024 · cf415f0 · cf415f0
1 parent 52b986b
commit cf415f0
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/iam-roles/PRX-GHA-AccessRole/template.yml b/iam-roles/PRX-GHA-AccessRole/template.yml
@@ -41,6 +41,7 @@ Resources:
         - !Ref SesMailSendPolicy
         - !Ref PassCloudFormationRolePolicy
         - !Ref EcrPublicPushPolicy
+        - !Ref PrivateEcrPushPolicy
       RoleName: PRX-GHA-AccessRole
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
@@ -162,3 +163,27 @@ Resources:
             Resource: "*"
             Sid: AllowEcrPublicRepoImagePush
         Version: "2012-10-17"
+
+  # GH actions push to private ECR repos
+  PrivateEcrPushPolicy:
+      Type: AWS::IAM::ManagedPolicy
+      Properties:
+        Description: Allows pushing Docker images to private ECR repositories
+        PolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Effect: Allow
+              Action:
+                - ecr:GetAuthorizationToken
+                - ecr:BatchCheckLayerAvailability
+                - ecr:GetDownloadUrlForLayer
+                - ecr:GetRepositoryPolicy
+                - ecr:DescribeRepositories
+                - ecr:ListImages
+                - ecr:DescribeImages
+                - ecr:BatchGetImage
+                - ecr:InitiateLayerUpload
+                - ecr:UploadLayerPart
+                - ecr:CompleteLayerUpload
+                - ecr:PutImage
+              Resource: "*"