AWS permissions needed for ECR image pushing

[arokem]

At the minimum, you need the following enabled on the user profile that pushes into the container registry:

"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
 "ecr:DescribeImages",
 "ecr:UploadLayerPart",
 "ecr:InitiateLayerUpload",
 "ecr:BatchCheckLayerAvailability",
 "ecr:PutImage"

[consideRatio]

I worked through a lot of the permission details recently and came up with the following to work with Hubploy. I had configured almost the same set of permissions, but I didn't have ecr:DescribeImages but had ecr:GetDownloadUrlForLayer. I have not properly tried this out yet though.

Cloudformation created resources

In this cloudformation file I define a set of AWS resources that will enable work with hubploy on AWS and probably will function to run from a GitHub Workflow.

• An IAM User
  • Credentials to use KMS
  • Credentials to assume an ECR role and an EKS role
• An AccessKey for the user
• Two IAM Role's - one for ECR and one for EKS
• A ECR registry with read rights for all in the account but push rights only to the ECR role
• A KMS resource

eksctl created resources (also cloudformation really)

• A EKS cluster

Documentation?

I figure it could be in scope for this project to document some details about required permissions.