vivainio/ecr_cross_account_codebuild.yml

## ecr_cross_account_codebuild.yml

# in case of error: pull access denied for xxxx.dkr.ecr.eu-west-1.amazonaws.com/my-app, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::xxxxxxxxx:xassumed-role/my-ci-cd-pipeline-codebuild-builder-role/AWSCodeBuild-xxxxxxx is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:xxxxxxxxxxxxx:repository/my-app
# see also https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html
AWSTemplateFormatVersion: 2010-09-09
Resources:
  EcrRepo:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: my-application-repo
      # this policy is needed to allow pushing & pulling of this image from codebuild
      RepositoryPolicyText:
         Version: "2012-10-17"
         Statement:
           -
             Sid: CodeBuildPull
             Effect: Allow
             Principal:
               Service: "codebuild.amazonaws.com"
             Action:
               - "ecr:GetDownloadUrlForLayer"
               - "ecr:BatchGetImage"
               - "ecr:BatchCheckLayerAvailability"
               - "ecr:PutImage"
               - "ecr:InitiateLayerUpload"
               - "ecr:UploadLayerPart"
               - "ecr:CompleteLayerUpload"

           -
             Sid: AllowPullFromOtherAccounts
             Effect: Allow
             Principal:
               AWS:
                 # qa
                 - "arn:aws:iam::xxxxxxxxxx:root"
                 # prod
                 - "arn:aws:iam::xxxxxxxxxxxxxx:root"
                 # codebuild
                 - "arn:aws:iam::xxxxxxxxxxxx:root"
             Action:
               - "ecr:GetDownloadUrlForLayer"
               - "ecr:BatchGetImage"
               - "ecr:BatchCheckLayerAvailability"
               - "ecr:PutImage"
               - "ecr:InitiateLayerUpload"
               - "ecr:UploadLayerPart"
               - "ecr:CompleteLayerUpload"

	# in case of error: pull access denied for xxxx.dkr.ecr.eu-west-1.amazonaws.com/my-app, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::xxxxxxxxx:xassumed-role/my-ci-cd-pipeline-codebuild-builder-role/AWSCodeBuild-xxxxxxx is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:xxxxxxxxxxxxx:repository/my-app
	# see also https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html
	AWSTemplateFormatVersion: 2010-09-09
	Resources:
	EcrRepo:
	Type: AWS::ECR::Repository
	Properties:
	RepositoryName: my-application-repo
	# this policy is needed to allow pushing & pulling of this image from codebuild
	RepositoryPolicyText:
	Version: "2012-10-17"
	Statement:
	-
	Sid: CodeBuildPull
	Effect: Allow
	Principal:
	Service: "codebuild.amazonaws.com"
	Action:
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:BatchGetImage"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:PutImage"
	- "ecr:InitiateLayerUpload"
	- "ecr:UploadLayerPart"
	- "ecr:CompleteLayerUpload"

	-
	Sid: AllowPullFromOtherAccounts
	Effect: Allow
	Principal:
	AWS:
	# qa
	- "arn:aws:iam::xxxxxxxxxx:root"
	# prod
	- "arn:aws:iam::xxxxxxxxxxxxxx:root"
	# codebuild
	- "arn:aws:iam::xxxxxxxxxxxx:root"
	Action:
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:BatchGetImage"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:PutImage"
	- "ecr:InitiateLayerUpload"
	- "ecr:UploadLayerPart"
	- "ecr:CompleteLayerUpload"