From 58e8d4464237db2d769cd39abf241b6ddf783931 Mon Sep 17 00:00:00 2001
From: Steve Sloka <steve@stevesloka.com>
Date: Thu, 14 Apr 2016 09:37:42 -0400
Subject: [PATCH] Added extra IAM permissions to download images from AWS ECR

---
 docs/user-guide/images.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/user-guide/images.md b/docs/user-guide/images.md
index b5d324d6d1..e5252ba814 100644
--- a/docs/user-guide/images.md
+++ b/docs/user-guide/images.md
@@ -66,9 +66,14 @@ in the Pod definition.
 All users of the cluster who can create pods will be able to run pods that use any of the
 images in the ECR registry.
 
-The kubelet will fetch and periodically refresh ECR credentials.  It needs the
-`ecr:GetAuthorizationToken` permission to do this.
-
+The kubelet will fetch and periodically refresh ECR credentials.  It needs the following permissions to do this:
+- `ecr:GetAuthorizationToken` 
+- `ecr:BatchCheckLayerAvailability`
+- `ecr:GetDownloadUrlForLayer`
+- `ecr:GetRepositoryPolicy`
+- `ecr:DescribeRepositories`
+- `ecr:ListImages`
+- `ecr:BatchGetImage`
 
 ### Configuring Nodes to Authenticate to a Private Repository