Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-ecr-assets): DockerImageAsset.repository is not really a repository (e.g. grants result in a no-op) #13327

Closed
JFox opened this issue Mar 1, 2021 · 5 comments
Labels
@aws-cdk/assets Related to the @aws-cdk/assets package @aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort p1

Comments

@JFox
Copy link

JFox commented Mar 1, 2021

When adding pull permissions as stated in the docs, the result is a no-op

Reproduction Steps

const myAsset = new DockerImageAsset(this, "MyAsset", {
  directory: path.join(process.cwd(), "docker", "my-asset"),
});
myAsset.repository.addToResourcePolicy(
  new PolicyStatement({
    principals: [
      new AccountPrincipal("123123123"),
      new AccountPrincipal("78667867"),
    ],
    actions: [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
    ],
  }),
);

What did you expect to happen?

ECR repo's permissions policy gets updated according to the code

What actually happened?

Nothing

Environment

  • **CDK CLI Version :1.86.0
  • **Framework Version: 1.86.0
  • **Node.js Version: v13.8.0
  • **OS :MacOS Catalina
  • **Language (Version): TypeScript (3.9.6)

This is 🐛 Bug Report

@JFox JFox added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 1, 2021
@github-actions github-actions bot added @aws-cdk/assets Related to the @aws-cdk/assets package @aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets labels Mar 1, 2021
@eladb
Copy link
Contributor

eladb commented Mar 2, 2021

@JFox thanks for describing your use case.

I believe this use case can be addressed using the proposed ECR deployment feature, which will allow you to define a separate ECR repository (which you can fully control) and deploy docker image assets to it. If that's the case, please +1 that issue so we can prioritize it (copy @ericzbeard).

The new bootstrapping mechanism (which will be the default in 2.0), all docker image assets will use the same ECR repository, which is created during cdk bootstrap. To that end, it won't be possible to modify the asset repository's permissions directly, which is why addToResourcePolicy doesn't work in this case.

I think we should remove the repository property from DockerImageAsset because it may send the wrong signal about what you can do with that repository (like granting permissions).

@eladb eladb changed the title (aws-ecr-assets): Grants and policy updates result in a no-op (aws-ecr-assets): DockerImageAsset.repository is not really a repository (e.g. grants result in a no-op) Mar 2, 2021
@eladb eladb added p1 effort/small Small work item – less than a day of effort labels Mar 2, 2021
@eladb eladb removed their assignment Mar 2, 2021
@JFox
Copy link
Author

JFox commented Mar 2, 2021

Thanks for the clarification. I may add that the grants and permissions reference to the assets repository are removed as well.

@JFox JFox closed this as completed Mar 2, 2021
@github-actions
Copy link

github-actions bot commented Mar 2, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@eladb
Copy link
Contributor

eladb commented Mar 2, 2021

Reopening this to track the deprecation of the repository property from DockerImageAsset.

@eladb eladb reopened this Mar 2, 2021
eladb pushed a commit that referenced this issue Mar 24, 2021
This change deprecates the `@aws-cdk/aws-s3-assets` and `@sws-cdk/aws-ecr-assets` modules and moves all the asset types to the `core` module under `FileAsset` and `ImageAsset`. Old classes and modules are marked `@deprecated` and will no longer be supported in the next major version of the AWS CDK.

As part of this change, the API of `FileAsset` and `ImageAsset` have been narrowed to reflect the capabilities of the asset system with modern bootstrapping. Namely, the S3 bucket and ECR repository used to host assets are no longer exposed via the API since they can not be controlled from the CDK app (they are created as part of bootstrapping).

Fixes #13327
Fixes #11859
@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Jun 1, 2021
@github-actions
Copy link

github-actions bot commented Jun 1, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jun 1, 2022
@github-actions github-actions bot closed this as completed Jun 6, 2022
nickgardner-amazon added a commit to nickgardner-amazon/aws-cdk that referenced this issue Apr 8, 2024
In cdkv2, it is no longer possible to add permissions on the repository for `dockerImageAsset`, but the docs were not updated.

Updates documentation for aws-ecr-assets. Mentions that it is no longer possible to grant repository permissions on `dockerImageAsset` for cross-account access and provides possible alternate routes.

Rebuilt doc change.

- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify bot pushed a commit that referenced this issue Apr 8, 2024
…kerImageAsset ECR repository (#29766)

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

#13327 (Only a docs update, does not fix the underlying issue)

### Reason for this change

In cdkv2, it is no longer possible to add permissions on the repository for `dockerImageAsset`, but the docs were not updated.

### Description of changes

Updates documentation for aws-ecr-assets. Mentions that it is no longer possible to grant repository permissions on `dockerImageAsset` for cross-account access and provides possible alternate routes.

### Description of how you validated changes

Rebuild the affected doc.



No, docs change only

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/assets Related to the @aws-cdk/assets package @aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants