Hi I am working on AWS CDK. I am trying to create resource based policy. Below is my cloud formation template.
JavaScript
x
21
21
1
MWSECRRepository:2
Type: AWS::ECR::Repository3
Properties:4
RepositoryName: "location/location-service"5
RepositoryPolicyText:6
Version: "2012-10-17"7
Statement:8
- Sid: CurrentAccountPush9
Effect: Allow10
Principal:11
AWS:12
- 'arn:aws:iam::1234:root' # dev13
- 'arn:aws:iam::1234:root' # nonprod14
- 'arn:aws:iam::1234:root' # prod15
Action:16
- 'ecr:GetDownloadUrlForLayer'17
- 'ecr:PutImage'18
- 'ecr:InitiateLayerUpload'19
- 'ecr:UploadLayerPart'20
- 'ecr:CompleteLayerUpload'21
Below I am trying to create same using CDK.
JavaScript
1
16
16
1
ECRRepository = ecr.Repository(self, id = "ECR", repository_name = "location/location-service");2
ECRRepository.add_to_resource_policy(iam.PolicyStatement(3
effect=iam.Effect.ALLOW,4
actions=["ecr:GetDownloadUrlForLayer","ecr:PutImage","ecr:InitiateLayerUpload","ecr:UploadLayerPart","ecr:CompleteLayerUpload"],5
principals=["arn:aws:iam::123:root","arn:aws:iam::123:root","arn:aws:iam::123:root"]6
));7
8
9
ECRRepository.add_to_resource_policy(iam.PolicyStatement(10
effect=iam.Effect.ALLOW,11
#principals=["arn:aws:iam::123:root","arn:aws:iam::123:root","arn:aws:iam::123:root"]12
actions=["ecr:GetDownloadUrlForLayer","ecr:BatchGetImage","ecr:BatchCheckLayerAvailability"]13
));14
15
ECRRepository.add_lifecycle_rule(description="Image retention", max_image_count=100, rule_priority=1);16
This results in below error
Error: Expected object reference, got “arn:aws:iam::123:root”
Can someone help me to write correct syntax using python? Any help would be appreciated. Thanks
Advertisement
Answer
principals needs to be a list of IPrincipal instead of strings
JavaScript
1
6
1
ECRRepository.add_to_resource_policy(iam.PolicyStatement(2
effect=iam.Effect.ALLOW,3
actions=["ecr:GetDownloadUrlForLayer","ecr:PutImage","ecr:InitiateLayerUpload","ecr:UploadLayerPart","ecr:CompleteLayerUpload"],4
principals=[iam.ArnPrincipal("aws:iam::1234:root")]5
));6