feat(ecr): Public Gallery authorization token (#12775)

iliapolo · web-flow · commit 84342943ad9f · 2021-01-31T10:52:18.000Z
API for granting permissions to retrieve an authorization token for the [Public ECR Gallery](https://gallery.ecr.aws/), similarly to the [existing API](https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-ecr/lib/auth-token.ts) for private ECR registries. Also added a note in the README encouraging users to prefer authenticated pulls over anonymous ones to benefit from higher limits. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-ecr/README.md b/packages/@aws-cdk/aws-ecr/README.md
@@ -51,11 +51,29 @@ grants an IAM user access to call this API.
 
 ```ts
 import * as iam from '@aws-cdk/aws-iam';
+import * as ecr from '@aws-cdk/aws-ecr';
 
 const user = new iam.User(this, 'User', { ... });
-iam.AuthorizationToken.grantRead(user);
+ecr.AuthorizationToken.grantRead(user);
 ```
 
+If you access images in the [Public ECR Gallery](https://gallery.ecr.aws/) as well, it is recommended you authenticate to the regsitry to benefit from
+higher rate and bandwidth limits.
+
+> See `Pricing` in https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and [Service quotas](https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html).
+
+The following code snippet grants an IAM user access to retrieve an authorization token for the public gallery.
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+import * as ecr from '@aws-cdk/aws-ecr';
+
+const user = new iam.User(this, 'User', { ... });
+ecr.PublicGalleryAuthorizationToken.grantRead(user);
+```
+
+This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth).
+
 ## Automatically clean up repositories
 
 You can set life cycle rules to automatically clean up old images from your
diff --git a/packages/@aws-cdk/aws-ecr/lib/auth-token.ts b/packages/@aws-cdk/aws-ecr/lib/auth-token.ts
@@ -1,7 +1,9 @@
 import * as iam from '@aws-cdk/aws-iam';
 
 /**
- * Authorization token to access ECR repositories via Docker CLI.
+ * Authorization token to access private ECR repositories in the current environment via Docker CLI.
+ *
+ * @see https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html
  */
 export class AuthorizationToken {
   /**
@@ -18,3 +20,27 @@ export class AuthorizationToken {
   private constructor() {
   }
 }
+
+/**
+ * Authorization token to access the global public ECR Gallery via Docker CLI.
+ *
+ * @see https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth
+ */
+export class PublicGalleryAuthorizationToken {
+
+  /**
+   * Grant access to retrieve an authorization token.
+   */
+  public static grantRead(grantee: iam.IGrantable) {
+    grantee.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: ['ecr-public:GetAuthorizationToken', 'sts:GetServiceBearerToken'],
+      // GetAuthorizationToken only allows '*'. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html#amazonelasticcontainerregistry-actions-as-permissions
+      // GetServiceBearerToken only allows '*'. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html#awssecuritytokenservice-actions-as-permissions
+      resources: ['*'],
+    }));
+  }
+
+  private constructor() {
+  }
+
+}
diff --git a/packages/@aws-cdk/aws-ecr/test/test.auth-token.ts b/packages/@aws-cdk/aws-ecr/test/test.auth-token.ts
@@ -2,10 +2,10 @@ import { expect, haveResourceLike } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { AuthorizationToken } from '../lib';
+import { AuthorizationToken, PublicGalleryAuthorizationToken } from '../lib';
 
 export = {
-  'grant()'(test: Test) {
+  'AuthorizationToken.grantRead()'(test: Test) {
     // GIVEN
     const stack = new Stack();
     const user = new iam.User(stack, 'User');
@@ -28,4 +28,32 @@ export = {
 
     test.done();
   },
+
+  'PublicGalleryAuthorizationToken.grantRead()'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const user = new iam.User(stack, 'User');
+
+    // WHEN
+    PublicGalleryAuthorizationToken.grantRead(user);
+
+    // THEN
+    expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: [
+              'ecr-public:GetAuthorizationToken',
+              'sts:GetServiceBearerToken',
+            ],
+            Effect: 'Allow',
+            Resource: '*',
+          },
+        ],
+      },
+    }));
+
+    test.done();
+  },
+
 };
