We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECR_POLICY_SCHEMA has a regular expression pattern:'^ecr:[a-zA-Z]*$'. It does not allow policy action "ecr:*".
I expect 'ecr:*' should be allowed in ECR Policy Schema.
Amazon Web Services (AWS)
Custodian: 0.9.22 Python: 3.10.6 (main, Aug 30 2022, 05:11:14) [Clang 13.0.0 (clang-1300.0.29.30)] Platform: posix.uname_result(sysname='Darwin', nodename='Jerrys-MacBook-Pro.local', release='20.6.0', version='Darwin Kernel Version 20.6.0: Tue Oct 12 18:33:42 PDT 2021; root:xnu-7195.141.8~1/RELEASE_X86_64', machine='x86_64') Using venv: True Docker: False Installed: PyJWT==2.4.0 PyYAML==6.0 adal==1.2.7 appdirs==1.4.4 applicationinsights==0.11.10 apscheduler==3.9.1 argcomplete==2.0.0 attrs==22.1.0 azure-common==1.1.28 azure-core==1.24.2 azure-cosmos==3.2.0 azure-cosmosdb-nspkg==2.0.2 azure-cosmosdb-table==1.0.6 azure-functions==1.11.2 azure-graphrbac==0.61.1 azure-identity==1.10.0 azure-keyvault==4.2.0 azure-keyvault-certificates==4.4.0 azure-keyvault-keys==4.5.1 azure-keyvault-secrets==4.4.0 azure-mgmt-advisor==9.0.0 azure-mgmt-apimanagement==1.0.0 azure-mgmt-applicationinsights==1.0.0 azure-mgmt-authorization==1.0.0 azure-mgmt-batch==15.0.0 azure-mgmt-cdn==10.0.0 azure-mgmt-cognitiveservices==11.0.0 azure-mgmt-compute==19.0.0 azure-mgmt-containerinstance==7.0.0 azure-mgmt-containerregistry==8.0.0b1 azure-mgmt-containerservice==15.1.0 azure-mgmt-core==1.3.1 azure-mgmt-cosmosdb==6.4.0 azure-mgmt-costmanagement==1.0.0 azure-mgmt-databricks==1.0.0b1 azure-mgmt-datafactory==1.1.0 azure-mgmt-datalake-store==1.0.0 azure-mgmt-dns==8.0.0b1 azure-mgmt-eventgrid==8.0.0 azure-mgmt-eventhub==8.0.0 azure-mgmt-frontdoor==1.0.1 azure-mgmt-hdinsight==7.0.0 azure-mgmt-iothub==1.0.0 azure-mgmt-keyvault==8.0.0 azure-mgmt-logic==9.0.0 azure-mgmt-managementgroups==1.0.0b1 azure-mgmt-monitor==2.0.0 azure-mgmt-msi==1.0.0 azure-mgmt-network==17.1.0 azure-mgmt-policyinsights==1.0.0 azure-mgmt-rdbms==8.1.0 azure-mgmt-redis==12.0.0 azure-mgmt-resource==16.1.0 azure-mgmt-resourcegraph==7.0.0 azure-mgmt-search==8.0.0 azure-mgmt-security==1.0.0 azure-mgmt-servicefabric==1.0.0 azure-mgmt-sql==1.0.0 azure-mgmt-storage==17.1.0 azure-mgmt-subscription==1.0.0 azure-mgmt-trafficmanager==0.51.0 azure-mgmt-web==2.0.0 azure-nspkg==3.0.2 azure-storage-blob==12.13.0 azure-storage-common==2.1.0 azure-storage-file==2.1.0 azure-storage-file-share==12.9.0 azure-storage-queue==12.4.0 boto3==1.24.44 botocore==1.27.44 cachetools==5.2.0 certifi==2022.6.15 cffi==1.15.1 charset-normalizer==2.1.0 click==8.1.3 cryptography==37.0.4 decorator==5.1.1 distlib==0.3.5 docutils==0.17.1 dogpile.cache==1.1.8 google-api-core==2.8.2 google-api-python-client==2.55.0 google-auth==2.10.0 google-auth-httplib2==0.1.0 google-cloud-appengine-logging==1.1.3 google-cloud-audit-log==0.2.3 google-cloud-core==2.3.2 google-cloud-logging==2.7.2 google-cloud-monitoring==2.10.1 google-cloud-storage==1.44.0 google-crc32c==1.3.0 google-resumable-media==2.3.3 googleapis-common-protos==1.56.4 grpc-google-iam-v1==0.12.4 grpcio==1.48.0 httplib2==0.20.4 idna==3.3 importlib-metadata==4.12.0 iso8601==1.0.2 isodate==0.6.1 jmespath==1.0.1 jsonpatch==1.32 jsonpointer==2.3 jsonschema==4.9.0 keystoneauth1==5.0.0 kubernetes==10.0.1 mock==4.0.3 msal==1.18.0 msal-extensions==1.0.0 msrest==0.7.1 msrestazure==0.6.4 munch==2.5.0 netaddr==0.7.20 netifaces==0.11.0 oauthlib==3.2.0 openstacksdk==0.52.0 os-service-types==1.7.0 pbr==5.9.0 portalocker==2.5.1 proto-plus==1.22.0 protobuf==4.21.5 pyasn1==0.4.8 pyasn1-modules==0.2.8 pycparser==2.21 pyparsing==3.0.9 pyrsistent==0.18.1 python-dateutil==2.8.2 pytz==2022.1 pytz-deprecation-shim==0.1.0.post0 pyyaml==6.0 ratelimiter==1.2.0.post0 requests==2.28.1 requests-oauthlib==1.3.1 requestsexceptions==1.4.0 retrying==1.3.3 rsa==4.9 s3transfer==0.6.0 setuptools==63.4.1 six==1.16.0 stevedore==3.5.0 tabulate==0.8.10 typing-extensions==4.3.0 tzdata==2022.1 tzlocal==4.2 uritemplate==4.1.1 urllib3==1.26.11 websocket-client==1.3.3 zipp==3.8.1
- name: ecr-image-prevent-pull resource: ecr filters: - type: finding actions: - type: modify-ecr-policy add-statements: [{ "Sid": "ReplaceWithMe", "Effect": "Deny", "Principal": "*", "Action": ["ecr:*"] }]
No response
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Describe the bug
ECR_POLICY_SCHEMA has a regular expression pattern:'^ecr:[a-zA-Z]*$'.
It does not allow policy action "ecr:*".
What did you expect to happen?
I expect 'ecr:*' should be allowed in ECR Policy Schema.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
Policy
- name: ecr-image-prevent-pull resource: ecr filters: - type: finding actions: - type: modify-ecr-policy add-statements: [{ "Sid": "ReplaceWithMe", "Effect": "Deny", "Principal": "*", "Action": ["ecr:*"] }]Relevant log/traceback output
No response
Extra information or context
No response
The text was updated successfully, but these errors were encountered: