@jcoreio/aws-ecr-utils 1.1.1 → 1.3.0

package/ImageManifestSchema.d.ts

@@ -0,0 +1,58 @@
+import z from 'zod';
+export declare const ImageManifestSchema: z.ZodObject<{
+    schemaVersion: z.ZodLiteral<2>;
+    mediaType: z.ZodString;
+    config: z.ZodObject<{
+        mediaType: z.ZodString;
+        size: z.ZodNumber;
+        digest: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }>;
+    layers: z.ZodArray<z.ZodObject<{
+        mediaType: z.ZodString;
+        size: z.ZodNumber;
+        digest: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }>, "many">;
+}, "strip", z.ZodTypeAny, {
+    mediaType: string;
+    schemaVersion: 2;
+    config: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    };
+    layers: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }[];
+}, {
+    mediaType: string;
+    schemaVersion: 2;
+    config: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    };
+    layers: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }[];
+}>;
+export type ImageManifestSchema = z.infer<typeof ImageManifestSchema>;

package/ImageManifestSchema.js

@@ -0,0 +1,22 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.ImageManifestSchema = void 0;
+var _zod = _interopRequireDefault(require("zod"));
+var MediaType = _zod["default"].string().min(1);
+var Size = _zod["default"].number()["int"]().nonnegative();
+var Digest = _zod["default"].string().min(32);
+var LayerSchema = _zod["default"].object({
+  mediaType: MediaType,
+  size: Size,
+  digest: Digest
+});
+var ImageManifestSchema = exports.ImageManifestSchema = _zod["default"].object({
+  schemaVersion: _zod["default"].literal(2),
+  mediaType: _zod["default"].string(),
+  config: LayerSchema,
+  layers: _zod["default"].array(LayerSchema)
+});

package/ImageManifestSchema.mjs

@@ -0,0 +1,15 @@
+import z from 'zod';
+const MediaType = z.string().min(1);
+const Size = z.number().int().nonnegative();
+const Digest = z.string().min(32);
+const LayerSchema = z.object({
+  mediaType: MediaType,
+  size: Size,
+  digest: Digest
+});
+export const ImageManifestSchema = z.object({
+  schemaVersion: z.literal(2),
+  mediaType: z.string(),
+  config: LayerSchema,
+  layers: z.array(LayerSchema)
+});

package/checkECRImageAccess.d.ts

@@ -0,0 +1,18 @@
+import AWS from 'aws-sdk';
+export default function checkECRImageAccess({ ecr, awsConfig, repoAccountAwsConfig, imageUri, log, }: {
+    ecr?: AWS.ECR;
+    awsConfig?: AWS.ConfigurationOptions;
+    /**
+     * Config for the AWS account containing the ECR repository.
+     * Optional; if given, will prompt to add/update the policy on the
+     * ECR repository, if access checks failed and the terminal is
+     * interactive.
+     */
+    repoAccountAwsConfig?: AWS.ConfigurationOptions;
+    imageUri: string;
+    log?: {
+        info: (...args: any[]) => void;
+        warn: (...args: any[]) => void;
+        error: (...args: any[]) => void;
+    };
+}): Promise<boolean>;

package/checkECRImageAccess.js

@@ -0,0 +1,180 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = checkECRImageAccess;
+var _regenerator = _interopRequireDefault(require("@babel/runtime/regenerator"));
+var _toConsumableArray2 = _interopRequireDefault(require("@babel/runtime/helpers/toConsumableArray"));
+var _slicedToArray2 = _interopRequireDefault(require("@babel/runtime/helpers/slicedToArray"));
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _asyncToGenerator2 = _interopRequireDefault(require("@babel/runtime/helpers/asyncToGenerator"));
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
+var _parseECRImageUri2 = _interopRequireDefault(require("./parseECRImageUri.js"));
+var _ImageManifestSchema = require("./ImageManifestSchema.js");
+var _isInteractive = _interopRequireDefault(require("is-interactive"));
+var _inquirer = _interopRequireDefault(require("inquirer"));
+var _formatECRRepositoryHostname = _interopRequireDefault(require("./formatECRRepositoryHostname.js"));
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2["default"])(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function checkECRImageAccess(_x) {
+  return _checkECRImageAccess.apply(this, arguments);
+}
+function _checkECRImageAccess() {
+  _checkECRImageAccess = (0, _asyncToGenerator2["default"])( /*#__PURE__*/_regenerator["default"].mark(function _callee(_ref) {
+    var ecr, awsConfig, repoAccountAwsConfig, imageUri, _ref$log, log, _parseECRImageUri, registryId, region, repositoryName, imageTag, _yield$ecr$batchGetIm, _yield$ecr$batchGetIm2, _yield$ecr$batchGetIm3, _yield$ecr$batchGetIm4, image, imageManifest, _ImageManifestSchema$, config, layers, Action, _yield$AWS$STS$getCal, Account, _yield$inquirer$promp, update, srcEcr, _yield$srcEcr$getRepo, policyText, policy;
+    return _regenerator["default"].wrap(function _callee$(_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          ecr = _ref.ecr, awsConfig = _ref.awsConfig, repoAccountAwsConfig = _ref.repoAccountAwsConfig, imageUri = _ref.imageUri, _ref$log = _ref.log, log = _ref$log === void 0 ? console : _ref$log;
+          log.error('checking access to ECR image:', imageUri, '...');
+          _parseECRImageUri = (0, _parseECRImageUri2["default"])(imageUri), registryId = _parseECRImageUri.registryId, region = _parseECRImageUri.region, repositoryName = _parseECRImageUri.repositoryName, imageTag = _parseECRImageUri.imageTag;
+          if (!ecr) ecr = new _awsSdk["default"].ECR(_objectSpread(_objectSpread({}, awsConfig), {}, {
+            region: region
+          }));
+          _context.prev = 4;
+          _context.next = 7;
+          return ecr.batchGetImage({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            imageIds: [{
+              imageTag: imageTag
+            }]
+          }).promise();
+        case 7:
+          _yield$ecr$batchGetIm = _context.sent;
+          _yield$ecr$batchGetIm2 = _yield$ecr$batchGetIm.images;
+          _yield$ecr$batchGetIm3 = _yield$ecr$batchGetIm2 === void 0 ? [] : _yield$ecr$batchGetIm2;
+          _yield$ecr$batchGetIm4 = (0, _slicedToArray2["default"])(_yield$ecr$batchGetIm3, 1);
+          image = _yield$ecr$batchGetIm4[0];
+          imageManifest = image === null || image === void 0 ? void 0 : image.imageManifest;
+          if (imageManifest) {
+            _context.next = 15;
+            break;
+          }
+          throw new Error("imageManifest not found for: ".concat(imageUri));
+        case 15:
+          _ImageManifestSchema$ = _ImageManifestSchema.ImageManifestSchema.parse(JSON.parse(imageManifest)), config = _ImageManifestSchema$.config, layers = _ImageManifestSchema$.layers;
+          _context.next = 18;
+          return ecr.batchCheckLayerAvailability({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            layerDigests: [config.digest].concat((0, _toConsumableArray2["default"])(layers.map(function (l) {
+              return l.digest;
+            })))
+          }).promise();
+        case 18:
+          _context.next = 20;
+          return ecr.getDownloadUrlForLayer({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            layerDigest: layers[0].digest
+          }).promise();
+        case 20:
+          log.error("ECR image is accessible: ".concat(imageUri));
+          return _context.abrupt("return", true);
+        case 24:
+          _context.prev = 24;
+          _context.t0 = _context["catch"](4);
+          if (!(!(_context.t0 instanceof Error) || _context.t0.name !== 'AccessDeniedException')) {
+            _context.next = 28;
+            break;
+          }
+          throw _context.t0;
+        case 28:
+          log.error("Unable to access ECR image: ".concat(imageUri));
+          Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'];
+          log.error("You may need to add a policy to the ECR repository to allow this account.\n\nThe policy should include:\n\n  ".concat(JSON.stringify({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: {
+                AWS: ['XXXXXXXXXXXX']
+              },
+              Action: Action
+            }]
+          }, null, 2).replace(/\n/gm, '\n  '), "\n"));
+          if (!(repoAccountAwsConfig && (0, _isInteractive["default"])())) {
+            _context.next = 55;
+            break;
+          }
+          _context.next = 34;
+          return new _awsSdk["default"].STS({
+            credentials: ecr.config.credentials,
+            region: region
+          }).getCallerIdentity().promise();
+        case 34:
+          _yield$AWS$STS$getCal = _context.sent;
+          Account = _yield$AWS$STS$getCal.Account;
+          if (Account) {
+            _context.next = 39;
+            break;
+          }
+          log.error("failed to determine AWS account");
+          return _context.abrupt("return", false);
+        case 39:
+          _context.next = 41;
+          return _inquirer["default"].prompt([{
+            name: 'update',
+            message: 'Do you want to add/update the policy?',
+            type: 'confirm',
+            "default": false
+          }]);
+        case 41:
+          _yield$inquirer$promp = _context.sent;
+          update = _yield$inquirer$promp.update;
+          if (update) {
+            _context.next = 45;
+            break;
+          }
+          return _context.abrupt("return", false);
+        case 45:
+          srcEcr = new _awsSdk["default"].ECR(_objectSpread(_objectSpread({}, repoAccountAwsConfig), {}, {
+            region: region
+          }));
+          _context.next = 48;
+          return srcEcr.getRepositoryPolicy({
+            registryId: registryId,
+            repositoryName: repositoryName
+          }).promise()["catch"](function (error) {
+            if (error.name === 'RepositoryPolicyNotFoundException') return {};
+            throw error;
+          });
+        case 48:
+          _yield$srcEcr$getRepo = _context.sent;
+          policyText = _yield$srcEcr$getRepo.policyText;
+          policy = JSON.parse(policyText || '{}');
+          _context.next = 53;
+          return srcEcr.setRepositoryPolicy({
+            repositoryName: repositoryName,
+            policyText: JSON.stringify(_objectSpread(_objectSpread({
+              Version: '2012-10-17'
+            }, policy), {}, {
+              Statement: [].concat((0, _toConsumableArray2["default"])(policy.Statement || []), [{
+                Effect: 'Allow',
+                Principal: {
+                  AWS: [Account]
+                },
+                Action: Action
+              }])
+            }), null, 2)
+          }).promise();
+        case 53:
+          log.info("updated policy on ECR repository ".concat((0, _formatECRRepositoryHostname["default"])({
+            registryId: registryId,
+            region: region,
+            repositoryName: repositoryName
+          })));
+          return _context.abrupt("return", true);
+        case 55:
+          return _context.abrupt("return", false);
+        case 56:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee, null, [[4, 24]]);
+  }));
+  return _checkECRImageAccess.apply(this, arguments);
+}
+module.exports = exports.default;

package/checkECRImageAccess.mjs

@@ -0,0 +1,133 @@
+import AWS from 'aws-sdk';
+import parseECRImageUri from "./parseECRImageUri.mjs";
+import { ImageManifestSchema } from "./ImageManifestSchema.mjs";
+import isInteractive from 'is-interactive';
+import inquirer from 'inquirer';
+import formatECRRepositoryHostname from "./formatECRRepositoryHostname.mjs";
+export default async function checkECRImageAccess({
+  ecr,
+  awsConfig,
+  repoAccountAwsConfig,
+  imageUri,
+  log = console
+}) {
+  log.error('checking access to ECR image:', imageUri, '...');
+  const {
+    registryId,
+    region,
+    repositoryName,
+    imageTag
+  } = parseECRImageUri(imageUri);
+  if (!ecr) ecr = new AWS.ECR({
+    ...awsConfig,
+    region
+  });
+  try {
+    const {
+      images: [image] = []
+    } = await ecr.batchGetImage({
+      registryId,
+      repositoryName,
+      imageIds: [{
+        imageTag
+      }]
+    }).promise();
+    const imageManifest = image === null || image === void 0 ? void 0 : image.imageManifest;
+    if (!imageManifest) {
+      throw new Error(`imageManifest not found for: ${imageUri}`);
+    }
+    const {
+      config,
+      layers
+    } = ImageManifestSchema.parse(JSON.parse(imageManifest));
+    await ecr.batchCheckLayerAvailability({
+      registryId,
+      repositoryName,
+      layerDigests: [config.digest, ...layers.map(l => l.digest)]
+    }).promise();
+    await ecr.getDownloadUrlForLayer({
+      registryId,
+      repositoryName,
+      layerDigest: layers[0].digest
+    }).promise();
+    log.error(`ECR image is accessible: ${imageUri}`);
+    return true;
+  } catch (error) {
+    if (!(error instanceof Error) || error.name !== 'AccessDeniedException') {
+      throw error;
+    }
+  }
+  log.error(`Unable to access ECR image: ${imageUri}`);
+  const Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'];
+  log.error(`You may need to add a policy to the ECR repository to allow this account.
+
+The policy should include:
+
+  ${JSON.stringify({
+    Version: '2012-10-17',
+    Statement: [{
+      Effect: 'Allow',
+      Principal: {
+        AWS: ['XXXXXXXXXXXX']
+      },
+      Action
+    }]
+  }, null, 2).replace(/\n/gm, '\n  ')}
+`);
+  if (repoAccountAwsConfig && isInteractive()) {
+    const {
+      Account
+    } = await new AWS.STS({
+      credentials: ecr.config.credentials,
+      region
+    }).getCallerIdentity().promise();
+    if (!Account) {
+      log.error(`failed to determine AWS account`);
+      return false;
+    }
+    const {
+      update
+    } = await inquirer.prompt([{
+      name: 'update',
+      message: 'Do you want to add/update the policy?',
+      type: 'confirm',
+      default: false
+    }]);
+    if (!update) return false;
+    const srcEcr = new AWS.ECR({
+      ...repoAccountAwsConfig,
+      region
+    });
+    const {
+      policyText
+    } = await srcEcr.getRepositoryPolicy({
+      registryId,
+      repositoryName
+    }).promise().catch(error => {
+      if (error.name === 'RepositoryPolicyNotFoundException') return {};
+      throw error;
+    });
+    const policy = JSON.parse(policyText || '{}');
+    await srcEcr.setRepositoryPolicy({
+      repositoryName,
+      policyText: JSON.stringify({
+        Version: '2012-10-17',
+        ...policy,
+        Statement: [...(policy.Statement || []), {
+          Effect: 'Allow',
+          Principal: {
+            AWS: [Account]
+          },
+          Action
+        }]
+      }, null, 2)
+    }).promise();
+    log.info(`updated policy on ECR repository ${formatECRRepositoryHostname({
+      registryId,
+      region,
+      repositoryName
+    })}`);
+    return true;
+  }
+  return false;
+}

package/checkECRRepositoryPolicy.d.ts

@@ -0,0 +1,20 @@
+import AWS from 'aws-sdk';
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+export default function checkECRRepositoryPolicy({ ecr, awsConfig, repositoryName, awsPrincipal, Action, log, }: {
+    ecr?: AWS.ECR;
+    awsConfig?: AWS.ConfigurationOptions;
+    repositoryName: string;
+    awsPrincipal: string;
+    Action?: string[];
+    log?: {
+        info: (...args: any[]) => void;
+        warn: (...args: any[]) => void;
+        error: (...args: any[]) => void;
+    };
+}): Promise<boolean>;

package/checkECRRepositoryPolicy.js

@@ -0,0 +1,132 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = checkECRRepositoryPolicy;
+var _regenerator = _interopRequireDefault(require("@babel/runtime/regenerator"));
+var _toConsumableArray2 = _interopRequireDefault(require("@babel/runtime/helpers/toConsumableArray"));
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _asyncToGenerator2 = _interopRequireDefault(require("@babel/runtime/helpers/asyncToGenerator"));
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
+var _inquirer = _interopRequireDefault(require("inquirer"));
+var _isInteractive = _interopRequireDefault(require("is-interactive"));
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2["default"])(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+function checkECRRepositoryPolicy(_x) {
+  return _checkECRRepositoryPolicy.apply(this, arguments);
+}
+function _checkECRRepositoryPolicy() {
+  _checkECRRepositoryPolicy = (0, _asyncToGenerator2["default"])( /*#__PURE__*/_regenerator["default"].mark(function _callee(_ref) {
+    var _policy$Statement, _statementForAction$P;
+    var ecr, awsConfig, repositoryName, awsPrincipal, _ref$Action, Action, _ref$log, log, rootUserMatch, principalAliases, _yield$ecr$getReposit, policyText, policy, statementForAction, statementPrincipal, _yield$inquirer$promp, update, _statementForAction$A, finalPolicy;
+    return _regenerator["default"].wrap(function _callee$(_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          ecr = _ref.ecr, awsConfig = _ref.awsConfig, repositoryName = _ref.repositoryName, awsPrincipal = _ref.awsPrincipal, _ref$Action = _ref.Action, Action = _ref$Action === void 0 ? ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'] : _ref$Action, _ref$log = _ref.log, log = _ref$log === void 0 ? console : _ref$log;
+          rootUserMatch = /^arn:aws:iam::(\d+):root$/.exec(awsPrincipal);
+          if (rootUserMatch) awsPrincipal = rootUserMatch[1];
+          principalAliases = /^(\d+)$/.test(awsPrincipal) ? [awsPrincipal, "arn:aws:iam::".concat(awsPrincipal, ":root")] : [awsPrincipal];
+          if (!ecr) ecr = new _awsSdk["default"].ECR(awsConfig);
+          _context.next = 7;
+          return ecr.getRepositoryPolicy({
+            repositoryName: repositoryName
+          }).promise()["catch"](function (error) {
+            if (error.name === 'RepositoryPolicyNotFoundException') return {};
+            throw error;
+          });
+        case 7:
+          _yield$ecr$getReposit = _context.sent;
+          policyText = _yield$ecr$getReposit.policyText;
+          policy = JSON.parse(policyText || '{}');
+          statementForAction = (_policy$Statement = policy.Statement) === null || _policy$Statement === void 0 ? void 0 : _policy$Statement.find(function (s) {
+            return s.Effect === 'Allow' && Array.isArray(Action) && Action.every(function (a) {
+              var _s$Action;
+              return (_s$Action = s.Action) === null || _s$Action === void 0 ? void 0 : _s$Action.includes(a);
+            });
+          });
+          statementPrincipal = statementForAction === null || statementForAction === void 0 || (_statementForAction$P = statementForAction.Principal) === null || _statementForAction$P === void 0 ? void 0 : _statementForAction$P.AWS;
+          if (!(statementPrincipal && typeof statementPrincipal === 'string' && principalAliases.includes(statementPrincipal) || Array.isArray(statementPrincipal) && statementPrincipal.some(function (s) {
+            return principalAliases.includes(s);
+          }))) {
+            _context.next = 15;
+            break;
+          }
+          // eslint-disable-next-line no-console
+          log.info("Found policy on ECR repository ".concat(repositoryName, " to allow access for AWS Principal ").concat(awsPrincipal, "."));
+          return _context.abrupt("return", true);
+        case 15:
+          // eslint-disable-next-line no-console
+          console.warn("Missing policy on ECR repository ".concat(repositoryName, " to allow access for AWS Principal ").concat(awsPrincipal, ".\n\nThe policy should include:\n\n  ").concat(JSON.stringify({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: {
+                AWS: [awsPrincipal]
+              },
+              Action: Action
+            }]
+          }, null, 2).replace(/\n/gm, '\n  '), "\n"));
+          if (!(0, _isInteractive["default"])()) {
+            _context.next = 28;
+            break;
+          }
+          _context.next = 19;
+          return _inquirer["default"].prompt([{
+            name: 'update',
+            message: 'Do you want to add/update the policy?',
+            type: 'confirm',
+            "default": false
+          }]);
+        case 19:
+          _yield$inquirer$promp = _context.sent;
+          update = _yield$inquirer$promp.update;
+          if (!update) {
+            _context.next = 28;
+            break;
+          }
+          finalPolicy = policy;
+          if ((statementForAction === null || statementForAction === void 0 || (_statementForAction$A = statementForAction.Action) === null || _statementForAction$A === void 0 ? void 0 : _statementForAction$A.length) === Action.length) {
+            statementForAction.Principal = _objectSpread(_objectSpread({}, statementForAction.Principal), {}, {
+              AWS: [].concat((0, _toConsumableArray2["default"])(typeof statementPrincipal === 'string' ? [statementPrincipal] : Array.isArray(statementPrincipal) ? statementPrincipal : []), [awsPrincipal])
+            });
+          } else {
+            finalPolicy = _objectSpread(_objectSpread({
+              Version: '2012-10-17'
+            }, policy), {}, {
+              Statement: [].concat((0, _toConsumableArray2["default"])(policy.Statement || []), [{
+                Effect: 'Allow',
+                Principal: {
+                  AWS: [awsPrincipal]
+                },
+                Action: Action
+              }])
+            });
+          }
+          _context.next = 26;
+          return ecr.setRepositoryPolicy({
+            repositoryName: repositoryName,
+            policyText: JSON.stringify(finalPolicy, null, 2)
+          }).promise();
+        case 26:
+          log.info("updated policy on ECR repository ".concat(repositoryName));
+          return _context.abrupt("return", true);
+        case 28:
+          return _context.abrupt("return", false);
+        case 29:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee);
+  }));
+  return _checkECRRepositoryPolicy.apply(this, arguments);
+}
+module.exports = exports.default;

package/checkECRRepositoryPolicy.mjs

@@ -0,0 +1,100 @@
+import AWS from 'aws-sdk';
+import inquirer from 'inquirer';
+import isInteractive from 'is-interactive';
+
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+export default async function checkECRRepositoryPolicy({
+  ecr,
+  awsConfig,
+  repositoryName,
+  awsPrincipal,
+  Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'],
+  log = console
+}) {
+  var _policy$Statement, _statementForAction$P;
+  const rootUserMatch = /^arn:aws:iam::(\d+):root$/.exec(awsPrincipal);
+  if (rootUserMatch) awsPrincipal = rootUserMatch[1];
+  const principalAliases = /^(\d+)$/.test(awsPrincipal) ? [awsPrincipal, `arn:aws:iam::${awsPrincipal}:root`] : [awsPrincipal];
+  if (!ecr) ecr = new AWS.ECR(awsConfig);
+  const {
+    policyText
+  } = await ecr.getRepositoryPolicy({
+    repositoryName
+  }).promise().catch(error => {
+    if (error.name === 'RepositoryPolicyNotFoundException') return {};
+    throw error;
+  });
+  const policy = JSON.parse(policyText || '{}');
+  const statementForAction = (_policy$Statement = policy.Statement) === null || _policy$Statement === void 0 ? void 0 : _policy$Statement.find(s => s.Effect === 'Allow' && Array.isArray(Action) && Action.every(a => {
+    var _s$Action;
+    return (_s$Action = s.Action) === null || _s$Action === void 0 ? void 0 : _s$Action.includes(a);
+  }));
+  const statementPrincipal = statementForAction === null || statementForAction === void 0 || (_statementForAction$P = statementForAction.Principal) === null || _statementForAction$P === void 0 ? void 0 : _statementForAction$P.AWS;
+  if (statementPrincipal && typeof statementPrincipal === 'string' && principalAliases.includes(statementPrincipal) || Array.isArray(statementPrincipal) && statementPrincipal.some(s => principalAliases.includes(s))) {
+    // eslint-disable-next-line no-console
+    log.info(`Found policy on ECR repository ${repositoryName} to allow access for AWS Principal ${awsPrincipal}.`);
+    return true;
+  }
+
+  // eslint-disable-next-line no-console
+  console.warn(`Missing policy on ECR repository ${repositoryName} to allow access for AWS Principal ${awsPrincipal}.
+
+The policy should include:
+
+  ${JSON.stringify({
+    Version: '2012-10-17',
+    Statement: [{
+      Effect: 'Allow',
+      Principal: {
+        AWS: [awsPrincipal]
+      },
+      Action
+    }]
+  }, null, 2).replace(/\n/gm, '\n  ')}
+`);
+  if (isInteractive()) {
+    const {
+      update
+    } = await inquirer.prompt([{
+      name: 'update',
+      message: 'Do you want to add/update the policy?',
+      type: 'confirm',
+      default: false
+    }]);
+    if (update) {
+      var _statementForAction$A;
+      let finalPolicy = policy;
+      if ((statementForAction === null || statementForAction === void 0 || (_statementForAction$A = statementForAction.Action) === null || _statementForAction$A === void 0 ? void 0 : _statementForAction$A.length) === Action.length) {
+        statementForAction.Principal = {
+          ...statementForAction.Principal,
+          AWS: [...(typeof statementPrincipal === 'string' ? [statementPrincipal] : Array.isArray(statementPrincipal) ? statementPrincipal : []), awsPrincipal]
+        };
+      } else {
+        finalPolicy = {
+          Version: '2012-10-17',
+          ...policy,
+          Statement: [...(policy.Statement || []), {
+            Effect: 'Allow',
+            Principal: {
+              AWS: [awsPrincipal]
+            },
+            Action
+          }]
+        };
+      }
+      await ecr.setRepositoryPolicy({
+        repositoryName,
+        policyText: JSON.stringify(finalPolicy, null, 2)
+      }).promise();
+      log.info(`updated policy on ECR repository ${repositoryName}`);
+      return true;
+    }
+  }
+  return false;
+}