When working with Amazon Elastic Container Registry (ECR), you might encounter authorization errors like:
User: arn:aws:iam::123456789:user/admin is not authorized to perform:
ecr:CreateRepository on resource: *
This typically occurs when your IAM user lacks the necessary permissions despite having AmazonEC2ContainerServiceFullAccess attached. Surprisingly, this managed policy doesn't include ecr:CreateRepository permission by default.
The AmazonEC2ContainerServiceFullAccess policy grants broad ECS permissions but intentionally omits repository creation capabilities. This is AWS's security best practice to separate resource creation from management.
Here's what's missing in the standard policy:
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:DeleteRepository"
You'll need to create a custom IAM policy with these minimum required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:DeleteRepository"
],
"Resource": "*"
}
]
}
For production environments, consider restricting access to specific repositories:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DescribeRepositories"
],
"Resource": "arn:aws:ecr:region:account-id:repository/your-repo-prefix*"
}
]
}
After attaching the policy to your IAM user/group, test the setup with AWS CLI:
aws ecr create-repository --repository-name test-repo \
--region us-east-1 \
--image-scanning-configuration scanOnPush=true \
--image-tag-mutability MUTABLE
You should now be able to create repositories without authorization errors.
If creating custom policies isn't preferred, AWS offers these alternatives:
AmazonEC2ContainerRegistryPowerUser- Read/write access to repositoriesAmazonEC2ContainerRegistryFullAccess- Full ECR permissions including repository creation
However, these provide broader permissions than might be necessary for your specific use case.
When working with AWS ECR (Elastic Container Registry), you might encounter the permission error:
User: arn:aws:iam::123456789:user/admin is not authorized to perform:
ecr:CreateRepository on resource: *
This occurs when your IAM user lacks the necessary permissions to create ECR repositories, even if they have the AmazonEC2ContainerServiceFullAccess policy attached.
The AmazonEC2ContainerServiceFullAccess policy primarily grants permissions for ECS (Elastic Container Service) operations, but doesn't include full ECR permissions. While it provides some ECR read permissions, it doesn't cover repository creation.
To create ECR repositories, your IAM user needs the ecr:CreateRepository permission. Here's a minimal policy that grants this permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ecr:CreateRepository",
"Resource": "*"
}
]
}
For most development scenarios, you'll want broader ECR permissions. Here's a more comprehensive policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
You can attach this policy through the AWS Management Console:
- Navigate to IAM → Users → Select your user
- Click "Add permissions"
- Choose "Attach existing policies directly"
- Search for or create the policy with the above permissions
- Click "Next: Review" and then "Add permissions"
After attaching the policy, you can verify it works by:
aws ecr create-repository --repository-name test-repo --region us-east-1
Or through the AWS Console by attempting to create a new repository.
- Ensure there are no explicit deny policies overriding your permissions
- Check if your user is part of any groups with conflicting permissions
- Verify the policy is properly attached to the user (not just the group)
- Remember that policy changes may take a few seconds to propagate
AWS provides managed policies specifically for ECR:
AmazonEC2ContainerRegistryPowerUser- Read/write access to repositoriesAmazonEC2ContainerRegistryFullAccess- Full administrative access
These can be attached directly to your IAM user or group if they match your required permission level.