This topic describes how to install and configure Tanzu Build Service.

VMware recommends installing Tanzu Build Service with the Tanzu CLI and kapp controller. If you want to view the previous method of installation, see Installing without kapp controller.

Reasons to use the previous installation method include:

  • You do not want to install kapp controller on your cluster.
  • You want to make custom changes to the Tanzu Build Service installation through ytt templating or overlays.

Prerequisites

Before you install Build Service, you must:

  • Be on Kubernetes cluster v1.19 or later.

  • Ensure that all worker nodes have at least 50 GB of ephemeral storage allocated to them.

    • To do this on TKGs, mount a 50GB volume at /var/lib/containerd to the worker nodes in the TanzuKubernetesCluster resource that corresponds to your TKGs cluster. For information about configuring storage on worker nodes, see Cluster with Separate Disks and Storage Parameters.
  • Have access to a container registry to install Tanzu Build Service and store application images.

    • Although the documentation references specific registries for the purpose of providing examples, any registry that adheres to the Docker Registry HTTP API V2 is supported.
    • If installing using the lite descriptor, VMware recommends 1 GB of registry storage.
    • If installing using the full descriptor, which is intended for production use and offline environments, VMware recommends 10 GB of available storage.
    • This registry space suggestion does not include the space used for application images built by Tanzu Build Service.
  • Ensure your Kubernetes cluster is configured with a default StorageClass. Tanzu Build Service defaults to using 2 GB of cache if a default StorageClass is defined. Build Service utilizes PersistentVolumeClaims to cache build artifacts, which reduces the time of subsequent builds.

    For more information, see Persistent Volumes in the Kubernetes documentation. For information about defining a default StorageClass, see Changing the default StorageClass.

  • Download Tanzu Cluster Essentials to install the imgpkg CLI tool and follow the README to install kapp controller.

  • Install the Tanzu CLI.

    • Only the package and secret plug-ins are required.
  • Navigate to the following pages in Tanzu Network and accept all EULAs highlighted in yellow.

  • Find the latest Tanzu Build Service version by checking the Tanzu Build Service page on Tanzu Network. Just knowing the version is sufficient.

  • Download the kp CLI for your operating system from the Tanzu Build Service page on Tanzu Network. See the kp CLI help text.

    • These docs assume you are using kp CLI v0.7.x with Tanzu Build Service v1.7.x. If a feature is not working, you might need to upgrade your CLI.
  • Download either the docker CLI or crane CLI for authentication with registries.

Note: Clusters running with Containerd 1.4.1, 1.5.6, and 1.5.7 are not compatible with Tanzu Build Service. Notably, TKG 1.2.1 and TKGi 1.13.0 & 1.13.1 use these versions of Containerd, so a different version must be used.

Note: TKGs clusters running Kubernetes 1.20.0-1.20.6 are not compatible with Tanzu Build Service.

Deprecated Features

  • The (legacy) CNB BOM format is deprecated, but enabled by default in TBS. Support can be disabled manually by passing --data-value-yaml include_legacy_bom=false to ytt when processing the TBS bundle or by adding include_legacy_bom=false to your tbs-values.yml file.

Install Tanzu Build Service

  1. Set up environment variables for use during the installation.

    export INSTALL_REGISTRY_HOSTNAME=<IMAGE-REGISTRY>
    export INSTALL_REPOSITORY=<IMAGE-REPOSITORY>
    export INSTALL_REGISTRY_USERNAME=<REGISTRY-USERNAME>
    export INSTALL_REGISTRY_PASSWORD=<REGISTRY-PASSWORD>
    export TANZUNET_REGISTRY_USERNAME=<TANZUNET_REGISTRY_USERNAME>
    export TANZUNET_REGISTRY_PASSWORD=<TANZUNET_REGISTRY_PASSWORD>
    export TBS_VERSION=<LATEST-TBS-VERSION>
    

    Where:

    • IMAGE-REGISTRY is the host name of the registry.
    • IMAGE-REPOSITORY is the repository in your registry that you want to relocate images to.
      • Dockerhub has the form my-dockerhub-username/build-service or index.docker.io/my-dockerhub-username/build-service.
      • gcr.io has the form gcr.io/my-project/build-service.
      • Harbor has the form my-harbor.io/my-project/build-service.
    • REGISTRY-USERNAME is the user name of the registry. You must be able to write to IMAGE-REPOSITORY with this credential. gcr.io expects _json_key.
    • REGISTRY-PASSWORD is the password of the registry. You must be able to write to IMAGE-REPOSITORY with this credential.
    • TANZUNET_REGISTRY_USERNAME is the user name you use to access TanzuNet.
    • TANZUNET_REGISTRY_PASSWORD is the password you use to access TanzuNet.
      • For Google Cloud Registry, use the contents of the service account JSON key.
    • LATEST-TBS-VERSION is from the Tanzu Network Release page.

Relocate images to a registry

This procedure relocates images from the Tanzu Network registry to an internal image registry through a local machine.

The local machine must have write access to the install registry.

  1. Log in to the Tanzu Network registry with your Tanzu Network credentials:

    • If using the docker CLI, run:

      docker login registry.tanzu.vmware.com
      
    • If using the crane CLI, run:

      crane auth login registry.tanzu.vmware.com
      
  2. Log in to the image registry where you want to store the images:

    • If using the docker CLI, run:

      docker login ${INSTALL_REGISTRY_HOSTNAME}
      
    • If using the crane CLI, run:

      crane auth login ${INSTALL_REGISTRY_HOSTNAME}
      
  3. Copy the Tanzu Build Service package repository to your registry with the Carvel tool imgpkg by running:

    imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=${INSTALL_REPOSITORY}
    

    For example:

    • Dockerhub imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=my-dockerhub-account/build-service
    • GCR imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=gcr.io/my-project/build-service
    • Artifactory imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=artifactory.com/my-project/build-service
    • Harbor imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=harbor.io/my-project/build-service

Installation

  1. Create a namespace called tbs-install for deploying the package by running:

    kubectl create ns tbs-install
    

    This namespace keeps the installation objects grouped together logically.

  2. Create a secret to pull in the package repository:

    tanzu secret registry add tbs-install-registry \
      --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \
      --server ${INSTALL_REGISTRY_HOSTNAME} \
      --export-to-all-namespaces --yes --namespace tbs-install
    
  3. Add the Tanzu Build Service package repository to the cluster by running:

    tanzu package repository add tbs-repository \
        --url "${INSTALL_REPOSITORY}:${TBS_VERSION}" \
        --namespace tbs-install
    
  4. You should be able to get the status of the package repository and ensure the status updates to Reconcile succeeded by running:

    tanzu package repository get tbs-repository --namespace tbs-install
    
  5. Create a tbs-values.yml file by using the following sample as a guide. This file should be kept for future use.

    ---
    kp_default_repository: <INSTALL_REPOSITORY>
    kp_default_repository_username: <INSTALL_REGISTRY_USERNAME>
    kp_default_repository_password: <INSTALL_REGISTRY_PASSWORD>
    pull_from_kp_default_repo: true
    tanzunet_username: <TANZUNET_REGISTRY_USERNAME>
    tanzunet_password: <TANZUNET_REGISTRY_PASSWORD>
    descriptor_name: <DESCRIPTOR_NAME>
    enable_automatic_dependency_updates: true
    ca_cert_data: <CA_CERT_CONTENTS> (optional)
    

    Where:

    • INSTALL_REPOSITORY is a writable repository in your registry. Tanzu Build Service Dependencies are written to this location. Same value as used during relocation.
    • INSTALL_REGISTRY_USERNAME is the registry username. Same value as used during relocation.
    • INSTALL_REGISTRY_PASSWORD is the registry password. Same value as used during relocation.
    • TANZUNET_REGISTRY_USERNAME is used to pull dependencies from tanzu network. Same value used during relocation
    • TANZUNET_REGISTRY_PASSWORD is used to pull dependencies from tanzu network. Same value used during relocation
    • DESCRIPTOR-NAME is the name of the descriptor to import automatically. For more information about which descriptor to choose for your workload and use case, see Descriptors. Available options:
      • full contains all dependencies.
      • lite smaller footprint used for speeding up installs. Requires Internet access on the cluster.
    • CA_CERT_CONTENTS must be provided when using registry that is signed by a Custom Cert. This should be the value of the PEM-encoded CA certificate that will be used during the build time. For more information about adding CA certificate to the run image, see the FAQ.
  6. Install the package by running:

    tanzu package install tbs -p buildservice.tanzu.vmware.com -v $TBS_VERSION -n tbs-install -f tbs-values.yml --poll-timeout 30m
    

    Note: Installing with Tanzu Network credentials automatically relocates buildpack dependencies to your registry. This install process can take some time and the `--poll-timeout` flag increases the timeout duration. Using the `lite` descriptor speeds this up significantly. If the command times out, periodically run the installation verification step provided in the following optional step. Image relocation continues in the background.

Using Secrets for credentials

You may not want to install TBS with passwords saved in plaintext in the tbs-values.yml.

You can store these credentials in Secrets and reference them in the tbs-values.yml using the following process:

  1. Create the secret for the kp-default-repository credentials using the tanzu cli:

    tanzu secret registry add kp-default-repository-creds \
      --username "${INSTALL_REGISTRY_USERNAME}" \
      --password "${INSTALL_REGISTRY_PASSWORD}" \
      --server "${INSTALL_REGISTRY_HOSTNAME}" \
      --namespace tbs-install
    
  2. When leveraging automatic updates, create the secret for the Tanzu Network credentials using the tanzu cli:

     tanzu secret registry add tanzunet-creds \
       --server "registry.tanzu.vmware.com" \
       --username "${TANZUNET_REGISTRY_USERNAME}" \
       --password "${TANZUNET_REGISTRY_PASSWORD}" \
       --namespace tbs-install
    
  3. Create a tbs-values.yml with secret references instead of plaintext credentials:

    ---
    kp_default_repository: <INSTALL_REPOSITORY>
    kp_default_repository_secret:
      name: kp-default-repository-creds
      namespace: tbs-install
    pull_from_kp_default_repo: true
    tanzunet_secret:
      name: tanzunet-creds
      namespace: tbs-install
    descriptor_name: <DESCRIPTOR_NAME>
    enable_automatic_dependency_updates: true
    ca_cert_data: <CA_CERT_CONTENTS> (optional)
    

Additional configuration

  1. You can add additional fields to the tbs-values.yml:

    • admin_users is a comma-separated list of users granted admin privileges on Build Service.
    • admin_groups is a comma-separated list of groups granted admin privileges on Build Service.
    • http_proxy is the HTTP proxy to use for network traffic.
    • https_proxy is the HTTPS proxy to use for network traffic.
    • no_proxy is a comma-separated list of host names, IP addresses, or IP address ranges in CIDR format. These must not use a proxy.
  2. You can see the full values schema by running:

    tanzu package available get buildservice.tanzu.vmware.com/$TBS_VERSION --values-schema --namespace tbs-install
    

Using AWS IAM for Authentication with ECR

You can install Tanzu Build Service using AWS IAM roles for authentication with Amazon Elastic Container Registry (ECR) on Amazon Elastic Kubernetes Service (EKS) clusters.

There are two additional steps required:

  1. Install Tanzu Build Service with AWS IAM for Authentication with ECR
  2. Configure the build namespace for IAM Auth with ECR
Install Tanzu Build Service with AWS IAM for Authentication with ECR

To install with AWS IAM for Authentication with ECR:

  1. Before installing Tanzu Build Service, create a repository in ECR to use for the kp_default_repository.

  2. Configure an AWS IAM role that has read and write access to the kp_default_repository and a trust policy for the EKS cluster. The minimum required permissions can be found here.

  3. Follow the Tanzu Build Service installation steps until the tbs-values.yml file.

  4. In the tbs-values.yml file, replace the kp_default_repository_username and kp_default_repository_username or kp_default_repository_secret with the following line:

    ...
    kp_default_repository_aws_iam_role_arn: "INSTALL-IAM-ROLE-ARN"
    ...
    

    Where:

    • INSTALL-IAM-ROLE-ARN is the AWS IAM role Amazon Resource Name (ARN) for the role configured earlier. For example, arn:aws:iam::xyz:role/my-install-role.
Configure the build namespace for IAM Auth with ECR

Similar to configuring a secret in the build namespace for registry authentication, the build namespace requires configuration for Tanzu Build Service to use AWS IAM authentication for ECR in builds.

To configure the build namespace for IAM Auth with ECR:

  1. Configure an AWS IAM role that has read and write access to the registry location to store build images.

  2. For the service account used for Image resources, add an annotation including the role ARN configured earlier.

    kubectl annotate serviceaccount -n BUILD-NAMESPACE SERVICE-ACCOUNT-NAME \
    eks.amazonaws.com/role-arn=${BUILD-IAM-ROLE-ARN}
    

    Where:

    • BUILD-NAMESPACE is the name of your build namespace.
    • SERVICE-ACCOUNT-NAME is the service account used for Image resources. This is default if unset.
    • BUILD-IAM-ROLE-ARN is the AWS IAM role ARN for the role configured earlier. For example, arn:aws:iam::xyz:role/my-build-role.
  3. To create an Image resource with this service account, run:

    kp image save my-ecr-image --tag 12345.ecr.com/my-repo --service-acount=SERVICE-ACCOUNT-NAME -n BUILD-NAMESPACE
    

Installing on Openshift

Installing TBS on Openshift requires a few extra steps.

  1. Follow the normal installation steps but when creating the tbs-values.yaml add the following property:

    ---
    ...
    kubernetes_distribution: openshift
    ...
    
  2. After installing TBS, you will need to configure any namespaces that will have Image or Build resources.

To do this you must configure RBAC for the service account used for Image resources (the default service account is used by default).

Apply the following RoleBinding:

```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tbs-restricted-with-seccomp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:tbs:scc:restricted-with-seccomp
subjects:
  - kind: ServiceAccount
    namespace: <BUILD-NAMESPACE>
    name: <BUILD-SERVICE-ACCOUNT>
```
Where:

    * `BUILD-NAMESPACE` is the namespace where Image and Build resources will be created.
    * `BUILD-SERVICE-ACCOUNT` is the service account used for Image resources (`default` by default).

Upgrading Tanzu Build Service

To upgrade Tanzu Build Service to a newer version, take the following steps.

  1. Relocate the new package repository:

    imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$NEW_TBS_VERSION --to-repo=${INSTALL_REPOSITORY}
    
  2. Add the Tanzu Build Service package repository to the cluster by running:

    tanzu package repository add tbs-repository \
        --url "${INSTALL_REPOSITORY}:${NEW_TBS_VERSION}" \
        --namespace tbs-install
    
  3. Install the package with the same tbs-values.yml file used during initial installation by running:

    tanzu package installed update tbs -p buildservice.tanzu.vmware.com -v $NEW_TBS_VERSION -n tbs-install -f tbs-values.yml --poll-timeout 30m
    

Installing Tanzu Build Service (air-gapped)

Tanzu Build Service can be installed to a Kubernetes cluster and registry that are air-gapped from external traffic.

An air-gapped environment often uses an internal registry with a self-signed CA certificate. You need access to this CA certificate file to install Tanzu Build Service.

Note: If you are using a CA certificate that is trusted (for example, Lets Encrypt), you do not need the CA certificate file.

  1. Set up environment variables for use during the installation.

    export INSTALL_REGISTRY_HOSTNAME=<IMAGE-REGISTRY>
    export INSTALL_REPOSITORY=<IMAGE-REPOSITORY>
    export INSTALL_REGISTRY_USERNAME=<REGISTRY-USERNAME>
    export INSTALL_REGISTRY_PASSWORD=<REGISTRY-PASSWORD>
    export TBS_VERSION=<LATEST-TBS-VERSION>
    

    Where:

    • IMAGE-REGISTRY is the host name of the private registry.
    • IMAGE-REPOSITORY is the repository in your registry that you want to relocate images to.
      • Harbor has the form my-harbor.io/my-project/build-service
    • REGISTRY-USERNAME is the user name of the private registry. You must be able to write to IMAGE-REPOSITORY with this credential.
    • REGISTRY-PASSWORD is the password of the private registry. You must be able to write to IMAGE-REPOSITORY with this credential.
    • LATEST-TBS-VERSION is from the Tanzu Network Release page.

    Note: The IMAGE-REPOSITORY must be the IMAGE-REGISTRY appended with the destination repository for the images. For example, IMAGE-REGISTRY/some-repo/build-service.

Relocate images to a registry (air-gapped)

This procedure relocates images from the Tanzu Network registry to an internal image registry through local machine(s).

  1. Log in to the Tanzu Network registry with your Tanzu Network credentials:

    • If using the docker CLI, run:

      docker login registry.tanzu.vmware.com
      
    • If using the crane CLI, run:

      crane auth login registry.tanzu.vmware.com
      
  2. Copy the Tanzu Build Service package repository to your local machine as a tar with the Carvel tool imgpkg by running:

    imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-tar=/tmp/tanzu-build-service.tar
    
  3. Move the output file tanzu-build-service.tar to a machine that has access to the air-gapped environment. The machine must have write access to the internal registry.

  4. Log in to the image registry where you want to store the images by running:

    • If using the docker CLI, run:

      docker login ${INSTALL_REGISTRY_HOSTNAME}
      
    • If using the crane CLI, run:

      crane auth login ${INSTALL_REGISTRY_HOSTNAME}
      
  5. Copy the images from your local machine to the internal registry:

    imgpkg copy --tar /tmp/tanzu-build-service.tar \
      --to-repo=${INSTALL_REPOSITORY} \
      --registry-ca-cert-path <PATH-TO-CA>
    

    Where:

    • PATH-TO-CA is the path to the registry CA certificate file.

    For example:

    • Artifactory imgpkg copy --tar /tmp/tanzu-build-service.tar --to-repo=artifactory.com/my-project/build-service --registry-ca-cert-path ca.crt
    • Harbor imgpkg copy --tar /tmp/tanzu-build-service.tar --to-repo=harbor.io/my-project/build-service --registry-ca-cert-path ca.crt

Installation (air-gapped)

  1. Create a namespace called tbs-install for deploying the package by running:

    kubectl create ns tbs-install
    

    This namespace keeps the installation objects grouped together logically.

  2. Add the Tanzu Build Service package repository to the cluster by running:

    tanzu package repository add tbs-repository \
        --url "${IMAGE-REPOSITORY}:${TBS_VERSION}" \
        --namespace tbs-install
    
  3. You should be able to get the status of the package repository, and ensure the status updates to Reconcile succeeded by running:

    tanzu package repository get tbs-repository --namespace tbs-install
    
  4. Create a tbs-values.yml file by using the following sample as a guide. This file should be kept for future use.

    ---
    kp_default_repository: $INSTALL_REPOSITORY
    kp_default_repository_username: $INSTALL_REGISTRY_USERNAME
    kp_default_repository_password: $INSTALL_REGISTRY_PASSWORD
    pull_from_kp_default_repo: true
    exclude_dependencies: true
    ca_cert_data: <CA_CERT_CONTENTS>
    

    Where:

    • INSTALL_REPOSITORY is a writable repository in your internal registry. Tanzu Build Service Dependencies are written to this location. Same value as used during relocation.
    • INSTALL_REGISTRY_USERNAME is the internal registry username. Same value as used during relocation.
    • INSTALL_REGISTRY_PASSWORD is the internal registry password. Same value as used during relocation.
    • CA_CERT_CONTENTS must be provided when using registry that is signed by a Custom Cert. This should be the value of the PEM-encoded CA certificate that will be used during the build time. For more information about adding CA certificate to the run image, see the FAQ.

Additional configuration

  1. Additional fields can be added to tbs-values.yml.

    • admin_users is a comma-separated list of users who are granted admin privileges on Build Service.
    • admin_groups is a comma-separated list of groups that are granted admin privileges on Build Service.
    • http_proxy is the HTTP proxy to use for network traffic.
    • https_proxy is the HTTPS proxy to use for network traffic.
    • no_proxy is a comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use a proxy.
  2. You can see the full values schema by running:

    tanzu package available get buildservice.tanzu.vmware.com/$TBS_VERSION --values-schema --namespace tbs-install
    
  3. Install the package by running:

    tanzu package install tbs -p buildservice.tanzu.vmware.com -v $TBS_VERSION -n tbs-install -f tbs-values.yml
    

Updating Build Service Dependencies (air-gapped)

When running in an air-gapped environment, Tanzu Build Service cannot pull dependencies automatically from external Internet. Therefore, dependencies must be imported manually as a part of installation for Tanzu Build Service to work.

Tanzu Build Service dependencies must be kept up to date manually or in a CI/CD automated way in order to keep application images patched. To learn more about keeping dependencies up to date in an offline environment, see Updating Build Service Dependencies.

Upgrading Tanzu Build Service (air-gapped)

  1. To upgrade Tanzu Build Service to a newer version in an air-gapped environment, the same relocation steps listed here must be followed with a new TBS_VERSION.

  2. Then the same installation steps can be followed by using the same tbs-values.yml file used for initial installation.

    Re-importing dependencies is not required for upgrading Tanzu Build Service.

Uninstalling Tanzu Build Service

  1. To uninstall Tanzu Build Service, uninstall the package using the tanzu cli:

    tanzu package installed delete tbs -n tbs-install -y
    

    Note: All Tanzu Build Service resources are deleted. Registry images created by Tanzu Build Service are not deleted.

  2. To delete the Tanzu Build Service package repository:

    tanzu package repository delete tbs-repository --namespace tbs-install
    

Ensuring access to cluster builders

To use cluster builders, such as the ones installed with Tanzu Build Service, VMware suggests installing Tanzu Build Service to a repository accessible by the nodes in the Kubernetes cluster without credentials.

If you do not want to do this, see When to use Synchronized Secrets.

Ensuring the run image is readable

Build Service relies on the run image being publicly readable or readable with the registry credentials configured in a project/namespace for the builds to be executed successfully.

The location of the run image can be identified by running:

kp clusterstack status <stack-name>

If the cluster stack run image is not public, you might need to create a registry secret in any namespace where images or builds are used. For more details on secrets in Tanzu Build Service, see Managing Secrets

You can do this with the kp CLI:

kp secret create my-registry-creds --registry example-registry.io --registry-user my-registry-user --namespace build-namespace

Next steps

Visit the Managing Images and Builds page to learn how to create and manage a new image.

Minimum AWS IAM permissions for ECR IAM auth
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:PutImageTagMutability",
                "ecr:StartImageScan",
                "ecr:DescribeImageReplicationStatus",
                "ecr:ListTagsForResource",
                "ecr:UploadLayerPart",
                "ecr:BatchDeleteImage",
                "ecr:ListImages",
                "ecr:BatchGetRepositoryScanningConfiguration",
                "ecr:DeleteRepository",
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ecr:DescribeRepositories",
                "ecr:BatchCheckLayerAvailability",
                "ecr:ReplicateImage",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DescribeImageScanFindings",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:PutImageScanningConfiguration",
                "ecr:GetDownloadUrlForLayer",
                "ecr:DeleteLifecyclePolicy",
                "ecr:PutImage",
                "ecr:UntagResource",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:StartLifecyclePolicyPreview",
                "ecr:InitiateLayerUpload",
                "ecr:GetRepositoryPolicy"
            ],
            "Resource": "<your repository>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ecr:GetRegistryPolicy",
                "ecr:BatchImportUpstreamImage",
                "ecr:CreateRepository",
                "ecr:DescribeRegistry",
                "ecr:DescribePullThroughCacheRules",
                "ecr:GetAuthorizationToken",
                "ecr:PutRegistryScanningConfiguration",
                "ecr:CreatePullThroughCacheRule",
                "ecr:DeletePullThroughCacheRule",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:PutReplicationConfiguration"
            ],
            "Resource": "<your repository>"
        }
    ]
}
check-circle-line exclamation-circle-line close-line
Scroll to top icon