Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-codepipeline-actions): TagParameterContainerImage unusable cross-account

See original GitHub issue

Using TagParameterContainerImage as a property for a stack in a different account causes a resolution error.

Reproduction Steps

const myPipeline = new MyPipeline(app, 'my-pipeline', {
  env: nonprod
}

new MyFargateApp(app, 'my-app', {
  env: prod
  image: myPipeline.tagParameterContainerImage
}

What did you expect to happen?

Stack my-app should reference the ECR repo from my-pipeline.

What actually happened?

Error: Resolution error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'my-app/FargateService/TaskDef/ExecutionRole' in a cross-environment fashion, the resource's physical name must be explicit set or use 'PhysicalName.GENERATE_IF_NEEDED'.

Environment

CDK CLI Version : 1.107.0 (build 52c4434)
Framework Version: 1.107.0
Node.js Version: 14.16.0
OS : WSL2 Ubuntu 20.04.02 LTS on Windows 10 1909
Language (Version): TypeScript (3.9.9)

Other details

I’m using ApplicationLoadBalancedFargateService.

This is 🐛 Bug Report

Issue Analytics

State:
Created 2 years ago
Comments:15 (8 by maintainers)

Top GitHub Comments

1reaction

skinny85commented, Jul 13, 2021

Hmm, so I think I know what the problem is.

The issue is that, when using TagParameterContainerImage across accounts, the execution Role of the Task in the Stack is added to the resource policy of the ECR Repository. However, that Role doesn’t exist at the time the Repository is deployed! (Because it belongs to the service Stack which will only be deployed by the Pipeline) And apparently ECR validates that.

1reaction

danwiltshirecommented, Jun 11, 2021

Hey @skinny85 thanks, this got me a bit further. I’m now getting another issue where the ECR policy principal is not valid.

Error: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'

Cause: The Principal field must contain an asterisk when a full role ARN is used.

Solutions:

Use an asterisk in the ARN
Use the AWS root reference (as shown in Working policy below).

Synthed CFN:

    "FargatePipelineEcsDeployRepository70287658": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "<EXPLICIT_REPO_NAME>",
        "RepositoryPolicyText": {
          "Statement": [
            {
              "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage"
              ],
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":iam::<ACCOUNT_NUMBER>:role/prod-appappexecutionrole0e3f44e5e1548be0860e"
                    ]
                  ]
                }
              }
            }
          ],
          "Version": "2012-10-17"
        },
      },
      "UpdateReplacePolicy": "Retain",
      "DeletionPolicy": "Retain",
      "Metadata": {
        "aws:cdk:path": ".../FargatePipeline/EcsDeployRepository/Resource"
      }
    },

Working policy:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Other notes:

The ECR permission GUI also states an asterisk is needed: Statement[0].Principal must match the following: "/\*/" @ Statement[0].Principal
I’ve unblocked myself by using an escape hatch.

Workaround

        const cfnRepository = appEcrRepo.node.defaultChild as ecr.CfnRepository;

        cfnRepository.repositoryPolicyText = {
            "Version": "2008-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Principal": {
                  "AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:root"
                },
                "Action": [
                  "ecr:BatchCheckLayerAvailability",
                  "ecr:BatchGetImage",
                  "ecr:GetDownloadUrlForLayer"
                ]
              }
            ]
          }

If you need this in a new issue I’m happy to spin one up.

Top Results From Across the Web

Image definitions file reference - AWS CodePipeline

Reference for definitions files used by job workers in container source and deploy actions.

aws-cdk/aws-codepipeline-actions module

Actions for deploying CloudFormation StackSets to multiple accounts. You can use CloudFormation StackSets to deploy the same CloudFormation template to multiple ...

Replicate filtered Amazon ECR container images across ...

This pattern describes how to replicate container images that are stored in Amazon ECR across AWS accounts and Regions, based on image tag...

AWS CodePipeline Actions

This package contains Actions that can be used in a CodePipeline. ... you can use the TagParameterContainerImage class from the ECS module.

Deploying Lambda functions as container images

Amazon ECR cross-account permissions. A different account in the same region can create a function that uses a container image owned by your...