From 6c79bbe8981495e884282cdfea9cf0b9a5ea2584 Mon Sep 17 00:00:00 2001
From: Tim Hobbs <timothy.hobbs@ic-consult.com>
Date: Mon, 31 Jul 2017 18:14:58 +0200
Subject: [PATCH] Add IAM policy allowing authenticated pull from ECR

---
 resources/aws/policy.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/resources/aws/policy.go b/resources/aws/policy.go
index 62d19c3cdc..07b60c3e3e 100644
--- a/resources/aws/policy.go
+++ b/resources/aws/policy.go
@@ -54,6 +54,19 @@ const (
 				"Effect": "Allow",
 				"Action": "s3:GetObject",
 				"Resource": "arn:aws:s3:::%s/*"
+			},
+			{
+				"Effect": "Allow",
+				"Action": [
+					"ecr:GetAuthorizationToken",
+					"ecr:BatchCheckLayerAvailability",
+					"ecr:GetDownloadUrlForLayer",
+					"ecr:GetRepositoryPolicy",
+					"ecr:DescribeRepositories",
+					"ecr:ListImages",
+					"ecr:BatchGetImage"
+				],
+				"Resource": "*"
 			}
 		]
 	}`