- Newest
- Most votes
- Most comments
The reason for the error is that the actions you've specified aren't permitted in private registry policies. The actions allowed are explained in this documentation article: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions.html and don't include any of the permissions you've specified.
I think you might be meaning to specify a repository policy rather than a registry policy. You can do that with the RepositoryPolicyText
property of AWS::ECR::Repository
: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-repositorypolicytext
The error message you're encountering indicates that there is an issue with the format of your ECR registry policy in the CloudFormation template. Here’s how you can resolve the issue:
Steps to Troubleshoot Validate JSON Structure: Ensure the policy JSON structure is correct. PolicyText must be a properly formatted JSON string.
Correct Indentation and Formatting: Ensure proper indentation and formatting of the CloudFormation YAML. YAML is sensitive to indentation, and incorrect indentation can lead to parsing issues.
Stringify PolicyText: The PolicyText property should be treated as a JSON string. In YAML, you can use the Fn::Sub function to handle complex substitutions and stringification.
Corrected CloudFormation Template Here is the corrected version of your CloudFormation template:
ECRRepositoryPolicy:
Type: AWS::ECR::RepositoryPolicy
DeletionPolicy: Delete
Properties:
RepositoryName: !Ref ECRRepository
PolicyText: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToolingAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${AccountA}:root",
"arn:aws:iam::${AccountA}:role/DeploymentRole"
]
},
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "${ECRRepository.Arn}"
}
]
}
Key Changes Made: Type Correction: Ensure the Type of the resource is AWS::ECR::RepositoryPolicy instead of AWS::ECR::RegistryPolicy.
YAML Stringification: Used !Sub with | to properly format the PolicyText as a JSON string.
RepositoryName Property: Added the RepositoryName property to link the policy to the specific ECR repository.
Substitution for Resource ARN: Ensured that ${ECRRepository.Arn} is correctly substituted in the policy.
Explanation: RepositoryName: Ensures the policy is applied to the correct ECR repository. !Sub |: Allows multiline strings and ensures correct JSON formatting and substitution within YAML. PolicyText: Properly formatted JSON string with embedded substitutions for AccountA and ECRRepository.Arn. Apply the Changes: Deploy this corrected template via the AWS CloudFormation console or CLI, and it should resolve the "Invalid registry policy provided" error.
Relevant content
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago