将角色添加到代码构建以访问 ECR

Adding the role to code build to access the ECR

我想将策略授予 codebuild 以访问 ecr 存储库进行推送。

但是我应该给什么保单呢?

虽然我可以在亚马逊网络控制台中手动执行此操作,

我在cdk中不是很清楚

   const buildProject = new codebuild.PipelineProject(this, 'buildproject', {
      environment: {
        buildImage:codebuild.LinuxBuildImage.STANDARD_4_0,
        privileged:true, 
      },
      buildSpec: codebuild.BuildSpec.fromSourceFilename("./buildspec.yml")
    });
    buildProject.addToRolePolicy(new iam.PolicyStatement({
      resources: [what should be here?],
      actions: ['ecr:GetAuthorizationToken'] }
    ));

只是myRepository.grantPullPush(buildProject).

参考:https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr.Repository.html#grantwbrpullwbrpushgrantee

这将抽象出策略的内容。