(bootstrap): Bootstrapping with CDK v1.139.0 removes IAM policy from the ECR asset repository
See original GitHub issueWhat is the problem?
Bootstrapping from 1.138.0
to v1.139.0
removes IAM policy from the cdk-hnb659fds-container-assets-1234567890-eu-central-1
ECR repository resulting in Lambdas being unable to run due to not able to access their images. The following policy was removed:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "LambdaECRImageRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DeleteRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy"
],
"Condition": {
"StringLike": {
"aws:sourceArn": "arn:aws:lambda:eu-central-1:1234567890:function:*"
}
}
}
]
}
resulting in the following Lambda error:
Failed to restore the function MyLambda: The function does not have permission to access the specified image.
Reproduction Steps
- Bootstrap account with
v1.138.0
- Add permission policy (or just deploy a Docker Lambda which will add a policy automatically)
- Bootstrap account with
v1.139.0
and check the IAM policy gets removed from ECRcdk-hnb659fds-container-assets-1234567890-eu-central-1
repository
What did you expect to happen?
Bootstrap process should NOT remove IAM policy from ECR cdk-hnb659fds-container-assets-1234567890-eu-central-1
repository
What actually happened?
Bootstrap process removed IAM policy from ECR cdk-hnb659fds-container-assets-1234567890-eu-central-1
repository
CDK CLI Version
1.139.0
Framework Version
No response
Node.js Version
v14.15.0
OS
Ubuntu 20.04
Language
Python
Language Version
No response
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:7
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Bootstrapping - AWS Cloud Development Kit (AWS CDK) v2
Bootstrapping is the process of provisioning resources for the AWS CDK ... Do not delete and recreate an account's bootstrap stack if you...
Read more >Permissions required for aws-cdk version 2 to deploy ...
I used aws-cdk version 2 and ran cdk bootstrap it showed me following error ... policy allows the ecr:CreateRepository action (Service: Ecr, ...
Read more >Least deployment privilege with CDK Bootstrap
To start using the CDK, we must bootstrap our AWS account. Bootstrapping creates the resources required by the CDK on the account.
Read more >AWS CDK Hack for AWS Academy Learner Lab
You have to use the customised bootstrap which removed all IAM resources. cdk bootstrap --template bootstrap-template.yaml. This template is ...
Read more >Source - GitHub
[1.182.0](https://github.com/aws/aws-cdk/compare/v1.181.1...v1.182.0) (2022-12-07) ... **cli:** make ecr images immutable when created from cdk bootstrap ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@NGL321 hello - we ran into this today and found the source of the problem. See this lambda doc.
Lambda needs ECR to have a policy on it to allow it to pull images. The “funny” thing that lambda does though is automatically add the policy to ECR:
The problem is, on CDK bootstrap upgrade, the ECR policy that lambda added can be removed, thus breaking things for lambda (it cannot pull).
The fix seems to be to add this policy to ECR in the CDK bootstrap.
We also saw this unexpected change after upgrading to the latest bootstrap stack. For a quick fix, making a trivial change to the Dockerfile of the affected Lambda was enough to change the asset hash and led to restoration of the lost policy statement.