AWS codepipeline documentation change
Summary
Added detailed service role permissions section for ECRBuildAndPublish action including required IAM policies for ECR/ECR Public operations and CloudWatch logging
Security assessment
The change adds documentation about required IAM permissions and security best practices (resource scoping) but does not indicate a response to a specific security vulnerability
Diff
diff --git a/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md b/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md index c2af62ff0..574b4da73 100644 --- a/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md +++ b/codepipeline/latest/userguide/action-reference-ECRBuildAndPublish.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: ECRBuildAndPublish actionAction declarationSee also @@ -34,0 +35,2 @@ This action is only available for V2 type pipelines. + * Service role permissions: ECRBuildAndPublish action + @@ -128,0 +131,74 @@ The name of the Amazon ECR repository where the image was pushed. +## Service role permissions: `ECRBuildAndPublish` action + +For the `ECRBuildAndPublish` action support, add the following to your policy statement: + + + { + "Statement": [ + { + "Sid": "ECRRepositoryAllResourcePolicy", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "ecr-public:DescribeRepositories", + "ecr-public:GetAuthorizationToken" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:PutImage", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchCheckLayerAvailability" + ], + "Resource": "PrivateECR_Resource_ARN" + }, + { + "Effect": "Allow", + "Action": [ + "ecr-public:GetAuthorizationToken", + "ecr-public:DescribeRepositories", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:PutImage", + "ecr-public:BatchCheckLayerAvailability", + "sts:GetServiceBearerToken" + ], + "Resource": "PublicECR_Resource_ARN" + }, + { + "Effect": "Allow", + "Action": [ + "sts:GetServiceBearerToken" + ], + "Resource": "*" + } + ] + } + +In addition, if not already added for the `Commands` action, add the following permissions to your service role in order to view CloudWatch logs. + + + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "resource_ARN" + }, + +###### Note + +Scope down the permissions to the pipeline resource level by using resource-based permissions in the service role policy statement. + +For more information about this action, see [ECRBuildAndPublish build action reference](./action-reference-ECRBuildAndPublish.html). +