aws · mergify · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024 · Apr 8, 2024
diff --git a/packages/aws-cdk-lib/aws-ecr-assets/README.md b/packages/aws-cdk-lib/aws-ecr-assets/README.md
@@ -207,8 +207,7 @@ method. This will modify the IAM policy of the principal to allow it to
 pull images from this repository.
 
 If the pulling principal is not in the same account or is an AWS service that
-doesn't assume a role in your account (e.g. AWS CodeBuild), pull permissions
-must be granted on the __resource policy__ (and not on the principal's policy).
-To do that, you can use `asset.repository.addToResourcePolicy(statement)` to
-grant the desired principal the following permissions: "ecr:GetDownloadUrlForLayer",
+doesn't assume a role in your account (e.g. AWS CodeBuild), you must either copy the image to a new repository, or
+grant pull permissions on the resource policy of the repository. Since the repository is managed by the CDK bootstrap stack,
+the following permissions must be granted there, or granted manually on the repository: "ecr:GetDownloadUrlForLayer", 
 "ecr:BatchGetImage" and "ecr:BatchCheckLayerAvailability".