From 145aebb5523f947d7cea62df12ac05a4d5b65004 Mon Sep 17 00:00:00 2001 From: Chris Knowles Date: Sat, 5 Nov 2016 15:20:15 +0800 Subject: [PATCH] Allow ECR pull from controller IAM role Goes some way to resolve https://github.com/coreos/coreos-kubernetes/issues/620 --- config/templates/stack-template.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/config/templates/stack-template.json b/config/templates/stack-template.json index eb43e098e..66bca98e6 100644 --- a/config/templates/stack-template.json +++ b/config/templates/stack-template.json @@ -200,6 +200,19 @@ "Action" : "kms:Decrypt", "Effect" : "Allow", "Resource" : "{{.KMSKeyARN}}" + }, + { + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:BatchGetImage" + ], + "Resource": "*", + "Effect": "Allow" } ], "Version": "2012-10-17"