udomsak/cf-aws-ecr-with-iam-group-and-role.yaml

## cf-aws-ecr-with-iam-group-and-role.yaml
# This Cloudformation will create User login only for AWS ECR with Push/Pull permission without console login permission.
# Output will produce AcessKey and SecretKey with Username.
# Group named 'GroupAccessECRImages'

AWSTemplateFormatVersion: 2010-09-09

Resources:
  accessEcrUser:
    Type: AWS::IAM::User
    Properties:
      UserName: ecrimages
  accessEcrGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: GroupAccessECRImages
  addUserToGroup:
    Type: AWS::IAM::UserToGroupAddition
    Properties:
      GroupName: !Ref 'accessEcrGroup'
      Users: [!Ref 'accessEcrUser']
  accessEcrUserPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: accessEcrUserPolicy
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - "ecr:GetAuthorizationToken"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:GetRepositoryPolicy"
              - "ecr:DescribeRepositories"
              - "ecr:ListImages"
              - "ecr:DescribeImages"
              - "ecr:BatchGetImage"
              - "ecr:GetLifecyclePolicy"
              - "ecr:GetLifecyclePolicyPreview"
              - "ecr:ListTagsForResource"
              - "ecr:DescribeImageScanFindings"
            Resource: '*'
      Groups: [!Ref 'accessEcrGroup']

  awsAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        !Ref accessEcrUser

  accessEcrRepo:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "ProjectPersonalLabs"
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          -
            Sid: AllowPushPull
            Effect: Allow
            Principal: "*"
            Action:
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:CompleteLayerUpload"
              - "ecr:GetAuthorizationToken"
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:InitiateLayerUpload"
              - "ecr:PutImage"
              - "ecr:UploadLayerPart"

Outputs:
  AccountInfo:
    Description: Account access ECR userId.
    Value: !Ref accessEcrUser
  AccountKeys:
    Description: Account access keys
    Value: !Ref awsAccessKey
  SecretKeyFromAccountKeys:
    Description: Account secret access keys
    Value: !GetAtt awsAccessKey.SecretAccessKey
  EcrArnUrl:
    Description: ARN of ECR repository (URL)
    Value: !GetAtt accessEcrRepo.Arn
	# This Cloudformation will create User login only for AWS ECR with Push/Pull permission without console login permission.
	# Output will produce AcessKey and SecretKey with Username.
	# Group named 'GroupAccessECRImages'

	AWSTemplateFormatVersion: 2010-09-09

	Resources:
	accessEcrUser:
	Type: AWS::IAM::User
	Properties:
	UserName: ecrimages
	accessEcrGroup:
	Type: AWS::IAM::Group
	Properties:
	GroupName: GroupAccessECRImages
	addUserToGroup:
	Type: AWS::IAM::UserToGroupAddition
	Properties:
	GroupName: !Ref 'accessEcrGroup'
	Users: [!Ref 'accessEcrUser']
	accessEcrUserPolicy:
	Type: AWS::IAM::Policy
	Properties:
	PolicyName: accessEcrUserPolicy
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- "ecr:GetAuthorizationToken"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:GetRepositoryPolicy"
	- "ecr:DescribeRepositories"
	- "ecr:ListImages"
	- "ecr:DescribeImages"
	- "ecr:BatchGetImage"
	- "ecr:GetLifecyclePolicy"
	- "ecr:GetLifecyclePolicyPreview"
	- "ecr:ListTagsForResource"
	- "ecr:DescribeImageScanFindings"
	Resource: '*'
	Groups: [!Ref 'accessEcrGroup']

	awsAccessKey:
	Type: AWS::IAM::AccessKey
	Properties:
	UserName:
	!Ref accessEcrUser

	accessEcrRepo:
	Type: AWS::ECR::Repository
	Properties:
	RepositoryName: "ProjectPersonalLabs"
	RepositoryPolicyText:
	Version: "2012-10-17"
	Statement:
	-
	Sid: AllowPushPull
	Effect: Allow
	Principal: "*"
	Action:
	- "ecr:BatchGetImage"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:CompleteLayerUpload"
	- "ecr:GetAuthorizationToken"
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:InitiateLayerUpload"
	- "ecr:PutImage"
	- "ecr:UploadLayerPart"

	Outputs:
	AccountInfo:
	Description: Account access ECR userId.
	Value: !Ref accessEcrUser
	AccountKeys:
	Description: Account access keys
	Value: !Ref awsAccessKey
	SecretKeyFromAccountKeys:
	Description: Account secret access keys
	Value: !GetAtt awsAccessKey.SecretAccessKey
	EcrArnUrl:
	Description: ARN of ECR repository (URL)
	Value: !GetAtt accessEcrRepo.Arn