cloud-custodian · thisisshi · Mar 4, 2019 · Jun 8, 2019 · Jun 8, 2019 · kapilt
diff --git a/c7n/resources/ecr.py b/c7n/resources/ecr.py
@@ -16,7 +16,7 @@
 import json
 
 from c7n.actions import RemovePolicyBase, Action
-from c7n.exceptions import PolicyValidationError
+from c7n.exceptions import PolicyValidationError, ClientError
 from c7n.filters import CrossAccountAccessFilter, Filter, ValueFilter
 from c7n.manager import resources
 from c7n.query import QueryResourceManager
@@ -104,11 +104,18 @@ def process(self, resources, event=None):
         client = local_session(self.manager.session_factory).client('ecr')
 
         def _augment(r):
+            if 'Policy' in r:
+                return r
             try:
                 r['Policy'] = client.get_repository_policy(
                     repositoryName=r['repositoryName'])['policyText']
             except client.exceptions.RepositoryPolicyNotFoundException:
                 return None
+            except ClientError as e:
+                if e.response['Error']['Code'] == 'AccessDeniedException':
+                    self.log.warning('Access Denied on GetRepositoryPolicy for repository: %s' %
+                        r['repositoryName'])
+                    return None
             return r
 
         self.log.debug("fetching policy for %d repos" % len(resources))
@@ -212,6 +219,11 @@ def process(self, resources, event=None):
                             'lifecyclePolicyText', ''))
             except client.exceptions.LifecyclePolicyNotFoundException:
                 r[self.policy_annotation] = {}
+            except ClientError as e:
+                if e.response['Error']['Code'] == 'AccessDeniedException':
+                    self.log.warning('Access Denied on GetLifecyclePolicy for repository: %s' %
+                        r['repositoryName'])
+                    r[self.policy_annotation] = {}
 
         state = self.data.get('state', False)
         matchers = []
@@ -319,6 +331,13 @@ def process_resource(self, client, resource):
                     repositoryName=resource['repositoryName'])['policyText']
             except client.exceptions.RepositoryPolicyNotFoundException:
                 return
+            except ClientError as e:
+                if e.response['Error']['Code'] == 'AccessDeniedException':
+                    self.log.warning('Access Denied on GetRepositoryPolicy for repository: %s' %
+                        resource['repositoryName'])
+                    return None
+                else:
+                    raise
 
         p = json.loads(resource['Policy'])
         statements, found = self.process_policy(