openbraininstitute · heerener · Nov 7, 2025 · Nov 7, 2025
diff --git a/main.tf b/main.tf
@@ -389,6 +389,12 @@ module "private_ecr_github_actions_upload_credentials_launch_system_family" {
   github_repository_name = "launch-system" # it is in the same repo as launch-system, this is not a typo
 }
 
+module "private_ecr_download_credentials_launch_system_family" {
+  source = "./private-ecr-download-credentials"
+
+  ecr_repository_name = "launch-system*"
+}
+
 module "auth_manager" {
   source = "./private-ecr-repo"
 

diff --git a/outputs.tf b/outputs.tf
@@ -148,3 +148,13 @@ output "private_ecr_github_actions_upload_credentials_obi_auth_manager_secret_ac
   value     = module.private_ecr_github_actions_upload_credentials_auth_manager.privateecr_upload_secret_access_key
   sensitive = true
 }
+
+output "private_ecr_download_credentials_launch_family_access_key_id" {
+  value     = module.private_ecr_download_credentials_launch_system_family.access_key_id
+  sensitive = true
+}
+
+output "private_ecr_download_credentials_launch_family_secret_access_key" {
+  value     = module.private_ecr_download_credentials_launch_system_family.secret_access_key
+  sensitive = true
+}
diff --git a/private-ecr-download-credentials/main.tf b/private-ecr-download-credentials/main.tf
@@ -0,0 +1,42 @@
+locals {
+  sanitized_repo_name = replace(var.ecr_repository_name, "*", "")
+  iam_user_name       = "azure_download_${local.sanitized_repo_name}"
+}
+
+resource "aws_iam_user" "download_user" {
+  name = local.iam_user_name
+}
+
+resource "aws_iam_access_key" "ecr_user_access_key" {
+  user = aws_iam_user.download_user.name
+}
+
+resource "aws_iam_policy" "download_policy" {
+  name        = "ecr-download-policy"
+  description = "Policy to allow downloading images from a private ECR"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetAuthorizationToken"
+        ]
+        Resource = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${var.ecr_repository_name}"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "azure_download_policy_attachment" {
+  user       = aws_iam_user.download_user.name
+  policy_arn = aws_iam_policy.download_policy.arn
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
diff --git a/private-ecr-download-credentials/outputs.tf b/private-ecr-download-credentials/outputs.tf
@@ -0,0 +1,11 @@
+output "access_key_id" {
+  description = "The access key ID for the IAM user"
+  value       = aws_iam_access_key.ecr_user_access_key.id
+  sensitive   = true
+}
+
+output "secret_access_key" {
+  description = "The secret access key for the IAM user"
+  value       = aws_iam_access_key.ecr_user_access_key.secret
+  sensitive   = true
+}
diff --git a/private-ecr-download-credentials/variables.tf b/private-ecr-download-credentials/variables.tf
@@ -0,0 +1,4 @@
+variable "ecr_repository_name" {
+  description = "Name of the ECR repository"
+  type        = string
+}