feat(webapp): apply default repository policy on ECR repo creation

ThullyoCunha · ThullyoCunha · commit 2492a30ea38d · 2026-04-28T18:12:28.000-03:00
Self-hosters that run the webapp's ECR account separately from their EKS
worker account hit a 403 Forbidden on every new project's first run:
`ensureEcrRepositoryExists` calls CreateRepository but never sets a
repository policy, so kubelet can't pull the runner image cross-account.

Add an optional `DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY` env
var (raw IAM policy JSON, V4 mirror as well). When set, the webapp
calls SetRepositoryPolicy after CreateRepository, baking the operator's
cross-account pull rule into every new repo automatically.

Existing repos are unaffected — they keep their current policy.
Cloud is unaffected — the env var is optional and unset by default.

Verified locally against a self-host on EKS with cross-account ECR:
without the policy, runners stayed in ImagePullBackOff with 403; with
it, the same flow completes a hello-world run end-to-end in ~5s.
diff --git a/apps/webapp/app/env.server.ts b/apps/webapp/app/env.server.ts
@@ -300,6 +300,7 @@ const EnvironmentSchema = z
     DEPLOY_REGISTRY_ECR_TAGS: z.string().optional(), // csv, for example: "key1=value1,key2=value2"
     DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN: z.string().optional(),
     DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID: z.string().optional(),
+    DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY: z.string().optional(), // raw IAM policy JSON applied to every repo created by the webapp
 
     // Deployment registry (v4) - falls back to v3 registry if not specified
     V4_DEPLOY_REGISTRY_HOST: z
@@ -332,6 +333,10 @@ const EnvironmentSchema = z
       .string()
       .optional()
       .transform((v) => v ?? process.env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID),
+    V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY),
 
     // Compute gateway (template creation during deploy finalize)
     COMPUTE_GATEWAY_URL: z.string().optional(),
diff --git a/apps/webapp/app/v3/getDeploymentImageRef.server.ts b/apps/webapp/app/v3/getDeploymentImageRef.server.ts
@@ -8,6 +8,7 @@ import {
   GetAuthorizationTokenCommand,
   PutLifecyclePolicyCommand,
   PutImageTagMutabilityCommand,
+  SetRepositoryPolicyCommand,
 } from "@aws-sdk/client-ecr";
 import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts";
 import { tryCatch } from "@trigger.dev/core";
@@ -138,6 +139,7 @@ export async function getDeploymentImageRef({
         roleArn: registry.ecrAssumeRoleArn,
         externalId: registry.ecrAssumeRoleExternalId,
       },
+      defaultRepositoryPolicy: registry.ecrDefaultRepositoryPolicy,
     })
   );
 
@@ -219,12 +221,14 @@ async function createEcrRepository({
   accountId,
   registryTags,
   assumeRole,
+  defaultRepositoryPolicy,
 }: {
   repositoryName: string;
   region: string;
   accountId?: string;
   registryTags?: string;
   assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy?: string;
 }): Promise<Repository> {
   const ecr = await createEcrClient({ region, assumeRole });
 
@@ -262,6 +266,20 @@ async function createEcrRepository({
     })
   );
 
+  // Apply an operator-provided IAM policy to the new repository. Useful for
+  // self-hosters whose ECR account is separate from the account running the
+  // EKS workers — without this the workers get 403 Forbidden when pulling the
+  // task image (default ECR policy only grants access to the registry owner).
+  if (defaultRepositoryPolicy) {
+    await ecr.send(
+      new SetRepositoryPolicyCommand({
+        repositoryName: result.repository.repositoryName,
+        registryId: result.repository.registryId,
+        policyText: defaultRepositoryPolicy,
+      })
+    );
+  }
+
   return result.repository;
 }
 
@@ -386,11 +404,13 @@ async function ensureEcrRepositoryExists({
   registryHost,
   registryTags,
   assumeRole,
+  defaultRepositoryPolicy,
 }: {
   repositoryName: string;
   registryHost: string;
   registryTags?: string;
   assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy?: string;
 }): Promise<{ repo: Repository; repoCreated: boolean }> {
   const { region, accountId } = parseEcrRegistryDomain(registryHost);
 
@@ -428,7 +448,14 @@ async function ensureEcrRepositoryExists({
   }
 
   const [createRepoError, newRepo] = await tryCatch(
-    createEcrRepository({ repositoryName, region, accountId, registryTags, assumeRole })
+    createEcrRepository({
+      repositoryName,
+      region,
+      accountId,
+      registryTags,
+      assumeRole,
+      defaultRepositoryPolicy,
+    })
   );
 
   if (createRepoError) {
diff --git a/apps/webapp/app/v3/registryConfig.server.ts b/apps/webapp/app/v3/registryConfig.server.ts
@@ -8,6 +8,7 @@ export type RegistryConfig = {
   ecrTags?: string;
   ecrAssumeRoleArn?: string;
   ecrAssumeRoleExternalId?: string;
+  ecrDefaultRepositoryPolicy?: string;
 };
 
 export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
@@ -20,6 +21,7 @@ export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
       ecrTags: env.V4_DEPLOY_REGISTRY_ECR_TAGS,
       ecrAssumeRoleArn: env.V4_DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN,
       ecrAssumeRoleExternalId: env.V4_DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID,
+      ecrDefaultRepositoryPolicy: env.V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY,
     };
   }
 
@@ -31,5 +33,6 @@ export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
     ecrTags: env.DEPLOY_REGISTRY_ECR_TAGS,
     ecrAssumeRoleArn: env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN,
     ecrAssumeRoleExternalId: env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID,
+    ecrDefaultRepositoryPolicy: env.DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY,
   };
 }
diff --git a/docs/self-hosting/env/webapp.mdx b/docs/self-hosting/env/webapp.mdx
@@ -76,6 +76,7 @@ mode: "wide"
 | `DEPLOY_REGISTRY_USERNAME`                       | No       | —                     | Deploy registry username.                                                                                          |
 | `DEPLOY_REGISTRY_PASSWORD`                       | No       | —                     | Deploy registry password.                                                                                          |
 | `DEPLOY_REGISTRY_NAMESPACE`                      | No       | trigger               | Deploy registry namespace.                                                                                         |
+| `DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY`  | No       | —                     | Raw IAM policy JSON applied via SetRepositoryPolicy to every ECR repo created by the webapp. Use to grant cross-account pull access to EKS workers when the ECR account is separate from the cluster account. |
 | `DEPLOY_IMAGE_PLATFORM`                          | No       | linux/amd64           | Deploy image platform, same values as docker `--platform` flag.                                                    |
 | `DEPLOY_TIMEOUT_MS`                              | No       | 480000 (8m)           | Deploy timeout (ms).                                                                                               |
 | **Object store (S3)**                            |          |                       |                                                                                                                    |
