Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk: Docker logout after deployment #31943

Open
1 task
joepjoosten opened this issue Oct 30, 2024 · 3 comments
Open
1 task

aws-cdk: Docker logout after deployment #31943

joepjoosten opened this issue Oct 30, 2024 · 3 comments
Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry feature-request A feature should be added or improved. p2

Comments

@joepjoosten
Copy link

Describe the bug

When using aws-cdk with other tools (e.g. serverless in a monorepo), using a docker deployment artifact that uses ECR to upload, the aws-cdk stays signed in with the created role for ECR (CustomCDKECRDeployment role). This causes issues when using other tools, that use a different ECR repository. They detect that docker is signed into the https://.dkr.ecr.eu-central-1.amazonaws.com repository, and don't login themselves. But the CustomCDKECRDeployment role is to restricted to use this login.

So it's best to logout after the CDK deployment process is done. This can be done with a docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com.

I've also opened a ticket in the serverless project to do the same, so there is no conflict.

Related
serverless/serverless#12895

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Logout to ECR(s) when done with deployment

Current Behavior

Stays logged in after deployment.

Reproduction Steps

Do a deployment with an docker asset that pushed to ECR repo.
Try to push a docker image to another repository in the same account manually, or with another framework like serverless, without docker logout. This will not work, because the system is still logged in with the CustomCDKECRDeployment role.

Possible Solution

Logout out of the ECR(s) with docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com

Additional Information/Context

No response

CDK CLI Version

2.143.0

Framework Version

No response

Node.js Version

node 22

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response
@joepjoosten joepjoosten added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 30, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ecr Related to Amazon Elastic Container Registry label Oct 30, 2024
@joepjoosten joepjoosten mentioned this issue Oct 30, 2024
Open
@pahud
Copy link
Contributor

pahud commented Oct 30, 2024
edited
Loading

Self-assigning this issue and will dive a little bit deeper here.

@pahud pahud added p3 feature-request A feature should be added or improved. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Oct 30, 2024
@pahud pahud assigned pahud and unassigned pahud Oct 30, 2024
@pahud pahud added p2 and removed p3 labels Oct 30, 2024
@pahud
Copy link
Contributor

pahud commented Oct 30, 2024

Hi @joepjoosten

For the 3rd tool - I think that tool should always aws ecr get-login ... | docker login ... to ensure it's using correct permission.

For CDK, we will investigate if we should explicitly docker logout to reduce some other risk.

Thank you for the feedback.

This was referenced Nov 1, 2024
Closed
Closed
@mrgrain
Copy link
Contributor

mrgrain commented Nov 13, 2024

Thanks for reporting. This seems like a reasonable p2 feature request. In the mean time you can run docker logout.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecr Related to Amazon Elastic Container Registry feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @mrgrain @joepjoosten