Skip to content

[ECR] [request]: Allowing private to private ECR pull through cache service linked role to create repositories #2643

New issue
New issue
Open
Open
[ECR] [request]: Allowing private to private ECR pull through cache service linked role to create repositories#2643
Labels
ECRAmazon Elastic Container RegistryProposedCommunity submitted issue
@itaywol

Description

@itaywol
itaywol
opened on Jul 8, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build?

Currently when configuring pull through cache rule between two private ECRs the downstream repository must use Registry Permission (Scoping) or IAM Role with ecr:CreateRepository in order to create repository for images pulled through the cache rule. My suggestion is to add the ecr:CreateRepository permission into the service linked role permissions reducing 1 step required from the downstream repository in the configuration.

Which service(s) is this request for?

Amazon Elastic Container Registry (ECR)

Tell us about the problem you're trying to solve

What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved?

I want to simplify ECR pull-through cache configuration by eliminating the manual permission setup step. Currently, each downstream repository must be granted ecr:CreateRepository permissions, which adds configuration overhead and slows adoption of the caching feature.

Impact of not solving this problem:

  • Additional setup complexity for pull-through cache rules
  • Slower adoption due to required manual permission configuration
  • Operational overhead for teams managing multiple repositories

Are you currently working around this issue?

How are you currently solving this problem?

Currently we instruct downstream repository owners to grant ecr:CreateRepository permissions, which isn't ideal and adds overhead to adoption.

Additional context

Anything else we should know?

  • This enhancement would reduce configuration overhead and improve pull-through cache adoption
  • Adding ecr:CreateRepository to the service-linked role would be more secure than manual permission grants by keeping everything around the pull through cache permissions

Metadata

Metadata

Assignees

No one assigned

    Labels

    ECRAmazon Elastic Container RegistryProposedCommunity submitted issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions