From abb5af642c5abde05e49dd92538a6a215d96147c Mon Sep 17 00:00:00 2001 From: nickgardner-amazon Date: Mon, 8 Apr 2024 14:11:46 -0700 Subject: [PATCH] docs(ecr-assets): fixes documentation for cross-account access to dockerImageAsset ECR repository (#29766) *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ### Issue # (if applicable) #13327 (Only a docs update, does not fix the underlying issue) ### Reason for this change In cdkv2, it is no longer possible to add permissions on the repository for `dockerImageAsset`, but the docs were not updated. ### Description of changes Updates documentation for aws-ecr-assets. Mentions that it is no longer possible to grant repository permissions on `dockerImageAsset` for cross-account access and provides possible alternate routes. ### Description of how you validated changes Rebuild the affected doc. No, docs change only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-ecr-assets/README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ecr-assets/README.md b/packages/aws-cdk-lib/aws-ecr-assets/README.md index 1cd855f0ea51f..b9d43f2aedbde 100644 --- a/packages/aws-cdk-lib/aws-ecr-assets/README.md +++ b/packages/aws-cdk-lib/aws-ecr-assets/README.md @@ -207,8 +207,7 @@ method. This will modify the IAM policy of the principal to allow it to pull images from this repository. If the pulling principal is not in the same account or is an AWS service that -doesn't assume a role in your account (e.g. AWS CodeBuild), pull permissions -must be granted on the __resource policy__ (and not on the principal's policy). -To do that, you can use `asset.repository.addToResourcePolicy(statement)` to -grant the desired principal the following permissions: "ecr:GetDownloadUrlForLayer", +doesn't assume a role in your account (e.g. AWS CodeBuild), you must either copy the image to a new repository, or +grant pull permissions on the resource policy of the repository. Since the repository is managed by the CDK bootstrap stack, +the following permissions must be granted there, or granted manually on the repository: "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" and "ecr:BatchCheckLayerAvailability".