Update AWS union admin role for BYOC Image Builder

unionai · Nov 19, 2024 · 12d3967 · 12d3967
1 parent 9ebd247
commit 12d3967
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/union-ai-admin/aws/union-ai-admin-role.template.yaml b/union-ai-admin/aws/union-ai-admin-role.template.yaml
@@ -374,6 +374,30 @@ Resources:
               - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/opta-*/host:log-stream:*'
               - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/opta-*/application:log-stream:fluentbit-kube.var.log.containers.union-operator-*'
               - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/containerinsights/opta-*/application:log-stream:fluentbit-kube.var.log.containers.flytepropeller-*'
+          - Sid: 'UnionImageBuilderRepoAdmin'
+            Effect: Allow
+            Action:
+              - ecr:CreateRepository
+              - ecr:DeleteRepository
+              - ecr:TagResource
+              - ecr:UntagResource
+              - ecr:PutLifecyclePolicy
+              - ecr:DeleteLifecyclePolicy
+              - ecr:PutImageTagMutability
+              - ecr:PutImageScanningConfiguration
+              - ecr:BatchDeleteImage
+              - ecr:DeleteRepositoryPolicy
+              - ecr:SetRepositoryPolicy
+              - ecr:GetRepositoryPolicy
+              - ecr:PutReplicationConfiguration
+              - ecr:DescribeRepositories
+              - ecr:ListTagsForResource
+              - ecr:GetLifecyclePolicy
+              - ecr:GetRepositoryPolicy
+              - ecr:DescribeImages
+            Resource:
+              - !Sub 'arn:aws:ecr:*:${AWS::AccountId}:repository/union/*'
+              - !Sub 'arn:aws:ecr:*:${AWS::AccountId}:repository/cloud/*' # TODO(Mike): Move cloud-task in union namespace
 Metadata:
   'AWS::CloudFormation::Designer': {}
 Outputs: