Fix policy grant on ECR resource policy (#2159)

### Testing: Validated the YAML output with `cdk synth`. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Feb 3, 2025 · cc9c9f0 · cc9c9f0
1 parent 6c613fa
commit cc9c9f0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 13 deletions.
diff --git a/tests/ci/cdk/cdk/ecr_stack.py b/tests/ci/cdk/cdk/ecr_stack.py
@@ -11,5 +11,6 @@ class EcrStack(Stack):
     def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        ecr.Repository(scope=self, id=id, repository_name=repo_name).grant_pull_push(
-            iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo = ecr.Repository(scope=self, id=id, repository_name=repo_name)
+        repo.grant_pull_push(iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo.grant_pull(iam.ArnPrincipal("arn:aws:iam::222961743098:role/scrutini-ecr"))
diff --git a/tests/ci/cdk/util/iam_policies.py b/tests/ci/cdk/util/iam_policies.py
@@ -207,17 +207,6 @@ def ecr_power_user_policy_in_json(ecr_repo_names):
                     "ecr:PutImage"
                 ],
                 "Resource": ecr_arns
-            },
-            {
-                "Sid": "scrutinice",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::222961743098:role/scrutini-ecr"
-                },
-                "Action": [
-                    "ecr:BatchGetImage",
-                    "ecr:GetDownloadUrlForLayer"
-                ]
             }
         ]
     }