ecr:GetDownloadUrlForLayer

Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.

Policies (any)

Allow (Action)

Deny (Action)

NotAction

Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).

Action reference

SAR-style (unofficial)

Service: Amazon Elastic Container Registry

Access level

Read

Description

Grants permission to retrieve the download URL corresponding to an image layer

Resource types

repository*

Allow (Action)

AWSAppRunnerServicePolicyForECRAccess
AWSECRPullThroughCache_ServiceRolePolicy
AWSRefactoringToolkitFullAccess
AmazonBraketFullAccess
AmazonBraketJobsExecutionPolicy
AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
AmazonEC2ContainerRegistryPowerUser
AmazonEC2ContainerRegistryPullOnly
AmazonEC2ContainerRegistryReadOnly
AmazonEC2ContainerServiceforEC2Role
AmazonECSTaskExecutionRolePolicy
AmazonEKSFargatePodExecutionRolePolicy
AmazonEKSLocalOutpostClusterPolicy
AmazonInspector2ServiceRolePolicy
AmazonRedshiftAllCommandsFullAccess
AmazonSageMakerCanvasFullAccess
AmazonSageMakerFullAccess
AmazonSageMakerHyperPodInferenceAccess
AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy
EC2InstanceProfileForImageBuilderECRContainerBuilds
ROSAWorkerInstancePolicy
SageMakerStudioAdminIAMDefaultExecutionPolicy
SageMakerStudioAdminIAMPermissiveExecutionPolicy
SageMakerStudioProjectProvisioningRolePolicy
SageMakerStudioProjectRoleMachineLearningPolicy
SageMakerStudioProjectUserRolePermissionsBoundary
SageMakerStudioUserIAMDefaultExecutionPolicy
SageMakerStudioUserIAMPermissiveExecutionPolicy

Deny (Action)

None

NotAction

AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
SageMakerStudioProjectUserRolePermissionsBoundary

Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.

Definitions bundle generated 4/7/2026, 3:29:24 AM