Module Reference
ECR — Container Registry Access
GitHub Actions OIDC roles for pulling and pushing container images to AWS ECR.
NewProduction
Directory: global/ecr/
Files: iam.tf, outputs.tf, variables.tf
What It Manages
This module provides OIDC access roles for GitHub Actions to pull and push Docker images to AWS ECR. It does not create ECR repositories — those are managed per-project (see ADR-001).
Hybrid Management Model
| Concern | Managed By | Location |
|---|---|---|
| OIDC roles (pull/push) | This module | global/ecr/iam.tf |
| ECR repositories | Per-project | Project's .infra/ |
| Lifecycle policies | Per-project | Project's .infra/ |
| Image scanning | Per-project | Project's .infra/ |
OIDC Roles
| Role | Name | Permissions | Restricted To |
|---|---|---|---|
| Pull | GitHubActions-ECR-PullRole | Read images | Any branch, all ontopix/* repos |
| Push | GitHubActions-ECR-PushRole | Read + write images | Deploy branches (master/pre/dev) + tags (refs/tags/*), all ontopix/* repos |
IAM Policies
| Policy | Permissions |
|---|---|
ECRPullAccess | GetAuthorizationToken, BatchGetImage, GetDownloadUrlForLayer, BatchCheckLayerAvailability, DescribeRepositories, DescribeImages, ListImages |
ECRPushAccess | All pull permissions + PutImage, InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload |
Outputs
| Output | Value |
|---|---|
github_pull_role_arn | ARN for the pull role |
github_push_role_arn | ARN for the push role |
registry_url | {ACCOUNT_ID}.dkr.ecr.eu-central-1.amazonaws.com |
How to Set Up ECR for Your Project
See the Setup ECR Access guide.
Related
- ADR-001: Hybrid ECR Management — Why we chose per-project repositories with central access roles
- ADR-003: GHA OIDC Trust Tiers — Trust tier model (PushRole covers Deploy + Release tiers)
- ECR + GitHub Actions pattern — Full implementation pattern (engineering handbook)