{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "Deepfence ECR Registry Role Setup", "Resources" : { "DeepfenceConsoleEcrReadRole" : { "Type" : "AWS::IAM::Role", "Properties" : { "RoleName" : "deepfence-console-ecr-read-role", "AssumeRolePolicyDocument" : { "Version": "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Principal" : { "Service" : [ "ec2.amazonaws.com" ] }, "Action" : "sts:AssumeRole" }] }, "Policies" : [ { "PolicyName": "deepfence-ecr-read-only", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action" : [ "sts:GetServiceBearerToken", "ecr-public:GetAuthorizationToken", "ecr-public:BatchCheckLayerAvailability", "ecr-public:GetRepositoryPolicy", "ecr-public:DescribeRepositories", "ecr-public:DescribeRegistries", "ecr-public:DescribeImages", "ecr-public:DescribeImageTags", "ecr-public:GetRepositoryCatalogData", "ecr-public:GetRegistryCatalogData", "ecr:DescribeImageScanFindings", "ecr:GetLifecyclePolicyPreview", "ecr:GetDownloadUrlForLayer", "ecr:DescribeImageReplicationStatus", "ecr:ListTagsForResource", "ecr:ListImages", "ecr:BatchGetRepositoryScanningConfiguration", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:BatchCheckLayerAvailability", "ecr:GetRepositoryPolicy", "ecr:GetLifecyclePolicy", "ecr:GetRegistryPolicy", "ecr:DescribeRegistry", "ecr:DescribePullThroughCacheRules", "ecr:GetAuthorizationToken", "ecr:GetRegistryScanningConfiguration" ], "Resource": "*" } ] } } ], "Tags" : [ { "Key" : "Name", "Value" : "deepfence-console-ecr-read-role" } ] } }, "DeepfenceConsoleInstanceProfile": { "Type" : "AWS::IAM::InstanceProfile", "Properties" : { "InstanceProfileName" : "deepfence-console-ecr-instance-profile", "Path" : "/", "Roles" : [{"Ref": "DeepfenceConsoleEcrReadRole"}] } } }, "Outputs" : { "InstanceProfileARN" : { "Value" : { "Fn::GetAtt" : [ "DeepfenceConsoleInstanceProfile", "Arn" ]}, "Description" : "Instance Profile ARN of new instance profile with access to ECR registry" } } }