From c072981c175bf0509e9c606ff9ed441a0c7aef31 Mon Sep 17 00:00:00 2001 From: Niranjan Jayakar Date: Mon, 30 Nov 2020 15:50:30 +0000 Subject: [PATCH] feat(ecr): authorization token retrieval grants (#11783) See README.md ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ecr/README.md | 16 ++++++++++ packages/@aws-cdk/aws-ecr/lib/auth-token.ts | 20 ++++++++++++ packages/@aws-cdk/aws-ecr/lib/index.ts | 1 + .../@aws-cdk/aws-ecr/test/test.auth-token.ts | 31 +++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 packages/@aws-cdk/aws-ecr/lib/auth-token.ts create mode 100644 packages/@aws-cdk/aws-ecr/test/test.auth-token.ts diff --git a/packages/@aws-cdk/aws-ecr/README.md b/packages/@aws-cdk/aws-ecr/README.md index 97115adc5f647..a2e4ab8ee3d35 100644 --- a/packages/@aws-cdk/aws-ecr/README.md +++ b/packages/@aws-cdk/aws-ecr/README.md @@ -37,6 +37,22 @@ repository.onImageScanCompleted('ImageScanComplete') .addTarget(...) ``` +### Authorization Token + +Besides the Amazon ECR APIs, ECR also allows the Docker CLI or a language-specific Docker library to push and pull +images from an ECR repository. However, the Docker CLI does not support native IAM authentication methods and +additional steps must be taken so that Amazon ECR can authenticate and authorize Docker push and pull requests. +More information can be found at at [Registry Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth). + +A Docker authorization token can be obtained using the `GetAuthorizationToken` ECR API. The following code snippets +grants an IAM user access to call this API. + +```ts +import * as iam from '@aws-cdk/aws-iam'; + +const user = new iam.User(this, 'User', { ... }); +AuthorizationToken.grantRead(user); +``` ### Automatically clean up repositories diff --git a/packages/@aws-cdk/aws-ecr/lib/auth-token.ts b/packages/@aws-cdk/aws-ecr/lib/auth-token.ts new file mode 100644 index 0000000000000..52c10cc513d0a --- /dev/null +++ b/packages/@aws-cdk/aws-ecr/lib/auth-token.ts @@ -0,0 +1,20 @@ +import * as iam from '@aws-cdk/aws-iam'; + +/** + * Authorization token to access ECR repositories via Docker CLI. + */ +export class AuthorizationToken { + /** + * Grant access to retrieve an authorization token. + */ + public static grantRead(grantee: iam.IGrantable) { + grantee.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({ + actions: ['ecr:GetAuthorizationToken'], + // GetAuthorizationToken only allows '*'. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html#amazonelasticcontainerregistry-actions-as-permissions + resources: ['*'], + })); + } + + private constructor() { + } +} diff --git a/packages/@aws-cdk/aws-ecr/lib/index.ts b/packages/@aws-cdk/aws-ecr/lib/index.ts index bfeae449ded7c..63fff9b49a1c4 100644 --- a/packages/@aws-cdk/aws-ecr/lib/index.ts +++ b/packages/@aws-cdk/aws-ecr/lib/index.ts @@ -3,3 +3,4 @@ export * from './ecr.generated'; export * from './repository'; export * from './lifecycle'; +export * from './auth-token'; diff --git a/packages/@aws-cdk/aws-ecr/test/test.auth-token.ts b/packages/@aws-cdk/aws-ecr/test/test.auth-token.ts new file mode 100644 index 0000000000000..4e9e12e4fb078 --- /dev/null +++ b/packages/@aws-cdk/aws-ecr/test/test.auth-token.ts @@ -0,0 +1,31 @@ +import { expect, haveResourceLike } from '@aws-cdk/assert'; +import * as iam from '@aws-cdk/aws-iam'; +import { Stack } from '@aws-cdk/core'; +import { Test } from 'nodeunit'; +import { AuthorizationToken } from '../lib'; + +export = { + 'grant()'(test: Test) { + // GIVEN + const stack = new Stack(); + const user = new iam.User(stack, 'User'); + + // WHEN + AuthorizationToken.grantRead(user); + + // THEN + expect(stack).to(haveResourceLike('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecr:GetAuthorizationToken', + Effect: 'Allow', + Resource: '*', + }, + ], + }, + })); + + test.done(); + }, +}; \ No newline at end of file