what iam policies are requried to run ecr commands on ec2 instance that has assumed a role?

Question

I have a small jenkins instance that uses terraform to deploy some stuff such as ECR When trying to apply changes i get this error

error creating ECR Public repository: AccessDeniedException: 
User: arn:aws:sts::1234567890:assumed-role/jenkins_role/i-1234567890 is not authorized to perform: ecr-public:CreateRepository on resource: arn:aws:ecr-public::1234567890:repository/test-repo

I would have thought AmazonEC2ContainerRegistryFullAccess would be enough but that was not the case. When I added AdministratorAccess, it worked. So why is that the case?

Answer 1

AmazonEC2ContainerRegistryFullAccess applies only to private ECR. You are trying to use ecr-public. This means you have to create your own policy which allows ecr-public:CreateRepository (not ecr:CreateRepository).