Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppStagingSynthesizer: Execution role misses ECR access #27007

Open
elgohr opened this issue Sep 5, 2023 · 4 comments
Open

AppStagingSynthesizer: Execution role misses ECR access #27007

elgohr opened this issue Sep 5, 2023 · 4 comments
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@elgohr
Copy link

elgohr commented Sep 5, 2023
edited
Loading

Describe the bug

Using AppStagingSynthesizer lambda execution roles miss access to ECR. In this way Lambdas fail after a while with "The function does not have permission to access the specified image."
image

Expected Behavior

Access to ECR, so that images can be pulled to Lambda.

Current Behavior

No access to ECR

Reproduction Steps

Deploy a lambda, wait.

CDK CLI Version

2.94.0 (build 987c329)

Node.js Version

v18.17.1

OS

Mac OS

Language

Typescript
@elgohr elgohr added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 5, 2023
@github-actions github-actions bot added the @aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package label Sep 5, 2023
@peterwoodworth
Copy link
Contributor

Can you please provide reproduction code, thanks

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 5, 2023
@elgohr
Copy link
Author

elgohr commented Sep 6, 2023

@peterwoodworth just use a DockerImageFunction within

const app = new App({
  defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
    appId: 'any',
    autoDeleteStagingAssets: false,
  }),
});

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 6, 2023
@peterwoodworth
Copy link
Contributor

I'm not sure I'm seeing the behavior I should be seeing - I tried both fromEcr and fromImageAsset and wasn't able to reproduce the same error you did. Reproduction steps complete with code, a simplified docker image would really help

@peterwoodworth peterwoodworth added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 6, 2023
@elgohr
Copy link
Author

elgohr commented Sep 7, 2023
edited
Loading

You have to wait, until the Lambda get's inactive. Afterwards the deployment role isn't allowed to load the image.
Tracked it down to the ECR policy. Adding DeploymentUser to the policy fixes the issue.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "DeploymentUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "cdk-hnb659fds-cfn-exec-role-...."
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ]
    },
    {
      "Sid": "LambdaECRImageRetrievalPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ],
      "Condition": {
        "StringLike": {
          "aws:sourceArn": "arn:aws:lambda:eu-west-1:....:function:*"
        }
      }
    }
  ]
}

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 7, 2023
@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort labels Sep 7, 2023
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @elgohr @peterwoodworth