Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[develop] Restrict extra permissions for ECR private repo as Lambda team has confirmed they are unnecessary #380

Merged
merged 1 commit into from
Jan 8, 2025
Merged

[develop] Restrict extra permissions for ECR private repo as Lambda team has confirmed they are unnecessary #380

merged 1 commit into from
Jan 8, 2025

Conversation

hehe7318
Copy link
Contributor

@hehe7318 hehe7318 commented Jan 8, 2025
edited
Loading

Description

  • This PR removes the extra ECR policy actions ecr:DeleteRepositoryPolicy, ecr:GetRepositoryPolicy, and ecr:SetRepositoryPolicy from our CloudFormation template.
  • As confirmed by the Lambda team, Lambda only needs ecr:BatchGetImage and ecr:GetDownloadUrlForLayer to pull images from ECR. The additional three permissions are used only when Lambda has to manage a repository policy that doesn’t already exist.
  • By explicitly defining the minimal set of permissions in our template, we prevent CloudFormation from overwriting or deleting them during future updates.

How Has This Been Tested?

  • Deployed to a personal AWS account with only BatchGetImage and GetDownloadUrlForLayer.
  • Verified that Lambda can still successfully fetch images from ECR.
  • Repeated stack updates (e.g., adding tags) to confirm the policy is retained.

References

PR Quality Checklist

  • I added tests to new or existing code
  • I removed hardcoded strings and used react-i18next library (useTranslation hook and/or Trans component), see an example here
  • I made sure no sensitive info gets logged at any time in the codebase (see here) (e.g. no user info or details, no stacktraces, etc.)
  • I made sure that any GitHub issue solved by this PR is correctly linked
  • I checked that infrastructure/update_infrastructure.sh runs without any error
  • I checked that npm run build builds without any error
  • I checked that clusters are listed correctly
  • I checked that a new cluster can be created (config is produced and dry run passes)
  • I checked that login and logout work as expected

In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@hehe7318 hehe7318 changed the title [develop] Restrict extra permissions for ECR private repo as Lambda team has confirmed they are uncessary [develop] Restrict extra permissions for ECR private repo as Lambda team has confirmed they are unnecessary Jan 8, 2025
@hehe7318 hehe7318 merged commit 1fc1a99 into aws:main Jan 8, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hanwen-cluster hanwen-cluster hanwen-cluster approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hehe7318 @hanwen-cluster