mkdir policy-test
cd policy-test
aws ecr create-repository --repository-name {REPO}
aws sts get-caller-identity
cat <<EOF | >> my-policy.json
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DenyDelete",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::{ACCOUNT_ID}:user/{USER}"
},
"Action": [
"ecr:BatchDeleteImage",
"ecr:DeleteRepository"
]
}
]
}
EOF
aws ecr set-repository-policy --repository-name {REPO} --policy-text file://my-policy.json
cat <<EOF | >> Dockerfile
FROM busybox:latest
MAINTAINER Mitch Beaumont (mitch@example.com)
EOF
aws ecr get-login --no-include-email
docker build . -t policy-test
docker tag policy-test:latest ${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:latest
docker push ${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:latest
aws ecr batch-delete-image --repository-name {REPO} --image-ids imageTag=latest