From e0cea013038569d092f025c2973676fdb66227e0 Mon Sep 17 00:00:00 2001
From: Joep Joosten <joepjoosten@gmail.com>
Date: Fri, 31 May 2024 13:11:16 +0000
Subject: [PATCH] Added trusted account policy to ContainerAssetsRepository, so
 it possible to push

---
 .../lib/api/bootstrap/bootstrap-template.yaml   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index 6d4ec2323efbd..70cd0c1586710 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -272,6 +272,23 @@ Resources:
             Condition:
               StringLike:
                 "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
+          - Fn::If:
+            - HasTrustedAccounts
+            - Effect: Allow
+              Action:
+                - ecr:PutImage
+                - ecr:InitiateLayerUpload
+                - ecr:UploadLayerPart
+                - ecr:CompleteLayerUpload
+                - ecr:BatchCheckLayerAvailability
+                - ecr:DescribeRepositories
+                - ecr:DescribeImages
+                - ecr:BatchGetImage
+                - ecr:GetDownloadUrlForLayer
+              Principal:
+                AWS:
+                  Ref: TrustedAccounts
+            - Ref: AWS::NoValue
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties: