fix: allow OIDC ECR role to pull images (#1446)

Update the OIDC ECR role's permission policy to allow it to pull images as well. This is needed for the Docker SBOM workflow step.
cds-snc · Sep 26, 2023 · 3a6ac24 · 3a6ac24
1 parent 2a03e10
commit 3a6ac24
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/infrastructure/terragrunt/aws/ecr/oidc.tf b/infrastructure/terragrunt/aws/ecr/oidc.tf
@@ -32,11 +32,17 @@ data "aws_iam_policy_document" "ecr_push" {
   statement {
     effect = "Allow"
     actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
       "ecr:CompleteLayerUpload",
-      "ecr:UploadLayerPart",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
       "ecr:InitiateLayerUpload",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:PutImage"
+      "ecr:ListImages",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart"
     ]
     resources = [
       aws_ecr_repository.wordpress.arn