AWS Marketplace

AWS Marketplace managed Amazon Elastic Container Registry (Amazon ECR): Controlling access and permissions

AWS Partners who sell container-based products through AWS Marketplace often reach out to us to understand the best practices for publishing container images and managing access to their repositories. To address these requirements we explain an available access feature that can help sellers effectively control access to push container images onto AWS Marketplace managed ECR.

AWS Marketplace allows sellers to publish container images preloaded with software that buyers can deploy into their Amazon Web Services (AWS) accounts. Sellers can configure container applications to deploy onto various container orchestration services, including Amazon Elastic Container Service (Amazon ECS)Amazon Elastic Kubernetes Service (Amazon EKS)AWS Fargate, and on premises using Containers Anywhere.

In this blog post, we describe an approach for controlling access to AWS Marketplace repositories using IAM policies with least privilege permissions assigned to IAM user accounts or roles. We demonstrate this capability through the experiences of three personas, defined as follows:

· AWS Marketplace Administrator – This user has full admin access in AWS marketplace.

· Developer – This user has limited access to push images to defined repositories.

· Read-only user – This user has access to describe and list images only, with pushing actions being blocked.

Overview

Sellers in AWS Marketplace can create a private Amazon ECR repository to list their container products. It is a private repository owned by AWS, and it is only accessible from the AWS Marketplace Management Portal. Sellers can create these repositories in the AWS Marketplace Management Portal under the server products tab. Any container images or helm charts for the product must be pushed to the ECR repository.

Figure 1: Container-based product’s workflow

Sellers in AWS Marketplace do not have full access to manage the private Amazon ECR repository used for their images. This is because the repository is owned and managed by AWS Marketplace, not the seller. The seller’s account is automatically granted limited permissions by AWS to push and pull images. For example, deleting images or changing access settings for the repository are not permitted. Additionally, this AWS-managed repository does not appear in the list of repositories on the Amazon ECR service page. The following IAM policy shows the actions AWS automatically grants the seller for the repositories they create:

{
"Version": "2012-10-17",
"Statement": [
{
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:UploadLayerPart",
                "ecr:ListImages",
                "ecr:InitiateLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage"
          ],
            "Resource": "*"
         }
      ]
}

Nonetheless, sellers can still create explicit identity-based policies and attach to users, groups, and roles in AWS Identity and Access Management (IAM). To restrict repository access, such as limiting who can push images, administrators can configure IAM controls.

How it works

AWS limits access to roles and users from the seller account with default actions to manage the repositories. For this demo I have already set up the environment which will be used. All commands and actions shown in this blog is based on an existing AWS Marketplace container product. If you do not have a existing container product, start by creating an AWS Marketplace profile and start a container listing.

Once you have an AWS Marketplace profile created and wants to upload a new container image to it, AWS Marketplace console provides a series of steps and instructions to push the source image to Amazon ECR, as below:

1. Retrieve an authentication token and authenticate your clients. Enter the AWS CLI:

       aws ecr get-login-password --region us-east-1  | docker login --username AWS --password-stdin 111111111111.dkr.ecr.us-east-1.amazonaws.com

2. Build your Docker image. For more information, see Getting Started with Amazon ECR

3. After the build, tag your image to push it to this repository:

       docker tag <<local-repo>>:<<local-image-tag>> 111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository:<<image-tag>>

Note: AWS Marketplace ECR repository tags are immutable. Don’t use the “latest” tag or leave a tag empty.

4. Run the following command to push this image to your newly created AWS repository:

       docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository:<<image-tag>>

5. Verify that the push is successful:

       aws ecr describe-images --registry-id 111111111111 --repository-name len-s-mp/sample-repository --region us-east-1

Using the solution

In this section, let’s go through the expected behaviors and permissions for all personas mentioned:

Administrator user

As an administrator, sellers can create and apply the following IAM policy with all required actions to push, describe and list image onto the sample-repository. An implicit deny will block any action that is not explicitly permitted by earlier statement. The administrator should attach this policy to the developer IAM user. Doing so will apply the permissions defined in the policy to limit what that user can access or do.

{
"Version": "2012-10-17",
"Statement": [
{
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": [
               "ecr:BatchGetImage",
               "ecr:BatchCheckLayerAvailability",
               "ecr:CompleteLayerUpload",
               "ecr:DescribeImages",
               "ecr:DescribeRepositories",
               "ecr:GetDownloadUrlForLayer",
               "ecr:InitiateLayerUpload",
               "ecr:ListImages",
               "ecr:PutImage",
               "ecr:UploadLayerPart"
         ],
         "Resource": "arn:aws:ecr:us-east-1:111111111111:repository/len-s-mp/sample-repository*"
         },
{
         "Sid": "VisualEditor1",
         "Effect": "Allow",
         "Action": [
               "ecr:GetAuthorizationToken"
],
         "Resource": "*"
         }
         ]
}

Developer user

The developer must have access only to push and describe images to the sample-repository.

GetAuthorizationToken is the API call used for docker to log into ECR registry and receive an authorisation token which will be used for the next actions.

[cloudshell-developer] aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 111111111111.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

PutImage is the AWS API call associated with the docker push command and it is used to create or update the container image.

[cloudshell-developer] docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository:v1.1
The push refers to repository [111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository]
d4fc045c9e3a: Pushed
v1.1: digest: sha256:226ca8f2a281fcd9f7cfeaf58c6a9453f6260eefa052cd300b3b71ff9010cc82 size: 527

Using the DescribeImages call, we can obtain the metadata from images currently stored in a repository and confirm the image has been successfully pushed into the registry.

[cloudshell-developer] aws ecr describe-images --registry-id 111111111111 --repository-name len-s-mp/sample-repository --region us-east-1
{
"imageDetails": [
{
     "registryId": 111111111111,
     "repositoryName": "len-s-mp/sample-repository",
     "imageDigest": "sha256:226ca8f2a281fcd9f7cfeaf58c6a9453f6260eefa052cd300b3b71ff9010cc82",
     "imageTags": [
     "v1.1"
],
     "imageSizeInBytes": 3409578,
     "imagePushedAt": "2024-05-10T13:23:30+00:00",
     "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
     "artifactMediaType": "application/vnd.docker.container.image.v1+json"
   }
  ]
}

The tests show that the developer IAM user can successfully push and describe container images in the defined managed repository. When trying to push images to a different marketplace ecr repository, such as a prod-repository the API calls will end up with denied actions.

[cloudshell- developer] docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/prod-repository:v1
The push refers to repository [111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/prod-repository]
94e5f06ff8e3: Preparing
denied: User: arn:aws:iam:: 111111111111:user/developer is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:111111111111:repository/len-s-mp/prod-repository because no resource-based policy allows the ecr:InitiateLayerUpload action

Read-only user

The read-only user will only be able to describe images. The administrator can create an IAM policy that allows the DescribeImages action on all repositories but denies the PutImage action on all repositories. Sample policy below:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1714557467123",
     "Action": [
     "ecr:DescribeImages"
],
     "Effect": "Allow",
     "Resource": "arn:aws:ecr:us-east-1: 111111111111:repository/*"
},
{
"Sid": "Stmt1714557594987",
     "Action": [
     "ecr:PutImage "
],
     "Effect": "Deny",
     "Resource": "arn:aws:ecr:us-east-1:111111111111:repository/*"
   }
  ]
}

With the necessary permissions granted, read-only users should be able to list down images in that particular aws marketplace ecr repository for which the permissions are granted for:

[cloudshell-read-only]  aws ecr describe-images --registry-id 111111111111 --repository-name len-s-mp/sample-repository --region us-east-1
{
    "imageDetails": [
     {
      "artifactMediaType": "application/vnd.docker.container.image.v1+json",
      "imageSizeInBytes": 3624637,
      "imageDigest": "sha256:89ede73d8aa968bdb607a18990d078317da59fff8958ab2ab804f2e90c1d1228",
      "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "imageTags": [
         "v2",
         "v3"
],
      "registryId": "111111111111",
      "repositoryName": "len-s-mp/sample-repository",
      "imagePushedAt": 1720085807.0
   }
  ]
}

However, when attempting to push images user will get permission denied:

[cloudshell-read-only] docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository:v1.2
The push refers to repository [111111111111.dkr.ecr.us-east-1.amazonaws.com/len-s-mp/sample-repository]
d4fc045c9e3a: Layer already exists
denied: User: arn:aws:iam:: 111111111111:user/ read-only is not authorized to perform: ecr:PutImage on resource: arn:aws:ecr:us-east-1:111111111111:repository/len-s-mp/sample-repository with an explicit deny in an identity-based policy

Clean up

In order to clean up the changes made for both developer and read-only personas, you only need to delete the IAM policies assigned to them by the Administrator. Once these policies are deleted, those personas will have the same AWS Marketplace managed ECR permissions they had before these changes.

Conclusion

In this blog post, we explored an approach for controlling access to AWS Marketplace repositories using IAM policies with least privilege permissions assigned to IAM user accounts or roles. By leveraging this approach, AWS Partners who sell container-based products through AWS Marketplace can effectively manage access to push container images onto AWS Marketplace managed ECR repositories.

This approach aligns with best practices for access management and the principle of least privilege, enabling partners to maintain a secure and controlled environment for their container-based products in AWS Marketplace. By following the guidance provided in this blog, sellers can streamline their container image management processes, enhance security, and ensure a seamless experience for their customers deploying container applications on AWS.

For more information on the API reference for Amazon ECR, see the Amazon ECR Actions page. And, for information about creating IAM policies, see the User Guide for IAM and the policy generator tool along with AWS managed policies for sellers.

To get started, see Working with container-based products.

About Authors

Len Gomes

Len Gomes is a Partner Solutions Architect working with AWS Partners across EMEA. In his role, he discovers, develops and delivers high-quality capabilities for Customers with Partners at scale. Len has a passion for networking, hybrid and edge services and solutions. In his free time, he enjoys playing and watching football, outdoor exercises, and barbecuing. He is skilled at grilling and considers himself a barbecue pit-master.

Julius Maia

Julius Maia is a Technical Account Manager focused on strategic Media and Entertainment customers and is passionate about containers and DevOps. He believes that “Knowledge is power” and continuous learning is what makes life exciting. Outside of work, he enjoys hiking, camping and video games.