Add ecr:BatchGetImage permission to helm-publish workflow (#759)

yerzhan7 · web-flow · commit 377ccf8e0b88 · 2026-03-25T18:26:54.000Z
diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml
@@ -46,7 +46,6 @@ jobs:
         with:
           role-to-assume: ${{ vars.IAM_ROLE }}
           aws-region: ${{ vars.AWS_REGION }}
-          # We only need valid credentials for authentication with ECR, so only ecr:GetAuthorizationToken.
           inline-session-policy: >-
             {
               "Version": "2012-10-17",
@@ -56,6 +55,12 @@ jobs:
                   "Effect":"Allow",
                   "Action":"ecr:GetAuthorizationToken",
                   "Resource":"*"
+                },
+                {
+                  "Sid":"AllowECRRead",
+                  "Effect": "Allow",
+                  "Action": "ecr:BatchGetImage",
+                  "Resource": "arn:aws:ecr:us-east-1:602401143452:repository/eks/*"
                 }
               ]
             }
diff --git a/scripts/verify-helm-images.sh b/scripts/verify-helm-images.sh
@@ -16,7 +16,7 @@ set -euo pipefail
 #   - yq: YAML processor (https://github.com/mikefarah/yq)
 #   - crane: Container registry tool (https://github.com/google/go-containerregistry/tree/main/cmd/crane)
 #
-# Note: AWS credentials are required with any ecr:GetAuthorizationToken permission to access EKS add-on repositories.
+# Note: AWS credentials are required with ecr:GetAuthorizationToken and ecr:BatchGetImage permissions to access EKS add-on repositories.
 
 CHART_DIR="charts/aws-mountpoint-s3-csi-driver"
 VALUES_FILE="${CHART_DIR}/values.yaml"

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,6 @@ jobs:`
`46`	`46`	`with:`
`47`	`47`	`role-to-assume: ${{ vars.IAM_ROLE }}`
`48`	`48`	`aws-region: ${{ vars.AWS_REGION }}`
`49`		`- # We only need valid credentials for authentication with ECR, so only ecr:GetAuthorizationToken.`
`50`	`49`	`inline-session-policy: >-`
`51`	`50`	`{`
`52`	`51`	`"Version": "2012-10-17",`
`@@ -56,6 +55,12 @@ jobs:`
`56`	`55`	`"Effect":"Allow",`
`57`	`56`	`"Action":"ecr:GetAuthorizationToken",`
`58`	`57`	`"Resource":"*"`
	`58`	`+ },`
	`59`	`+ {`
	`60`	`+ "Sid":"AllowECRRead",`
	`61`	`+ "Effect": "Allow",`
	`62`	`+ "Action": "ecr:BatchGetImage",`
	`63`	`+ "Resource": "arn:aws:ecr:us-east-1:602401143452:repository/eks/*"`
`59`	`64`	`}`
`60`	`65`	`]`
`61`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ set -euo pipefail`
`16`	`16`	`# - yq: YAML processor (https://github.com/mikefarah/yq)`
`17`	`17`	`# - crane: Container registry tool (https://github.com/google/go-containerregistry/tree/main/cmd/crane)`
`18`	`18`	`#`
`19`		`-# Note: AWS credentials are required with any ecr:GetAuthorizationToken permission to access EKS add-on repositories.`
	`19`	`+# Note: AWS credentials are required with ecr:GetAuthorizationToken and ecr:BatchGetImage permissions to access EKS add-on repositories.`
`20`	`20`
`21`	`21`	`CHART_DIR="charts/aws-mountpoint-s3-csi-driver"`
`22`	`22`	`VALUES_FILE="${CHART_DIR}/values.yaml"`