chore(ci-staging): allow authenticating to ecr public gallery

rust-lang · Dec 13, 2024 · d01c787 · d01c787
1 parent d8c051b
commit d01c787
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf
@@ -35,3 +35,23 @@ resource "aws_iam_role" "github_actions_ci_role" {
     ]
   })
 }
+
+# Allow GitHub Actions to authenticate to AWS ECR Public Gallery
+resource "aws_iam_role_policy" "github_actions_ecr_policy" {
+  name = "ecr-auth-policy"
+  role = aws_iam_role.github_actions_ci_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr-public:GetAuthorizationToken",
+          "sts:GetServiceBearerToken"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}