Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(bootstrap): Bootstrapping with CDK v1.139.0 removes IAM policy from the ECR asset repository

See original GitHub issue

What is the problem?

Bootstrapping from 1.138.0 to v1.139.0 removes IAM policy from the cdk-hnb659fds-container-assets-1234567890-eu-central-1 ECR repository resulting in Lambdas being unable to run due to not able to access their images. The following policy was removed:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "LambdaECRImageRetrievalPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ],
      "Condition": {
        "StringLike": {
          "aws:sourceArn": "arn:aws:lambda:eu-central-1:1234567890:function:*"
        }
      }
    }
  ]
}

resulting in the following Lambda error:

Failed to restore the function MyLambda: The function does not have permission to access the specified image.

Reproduction Steps

  1. Bootstrap account with v1.138.0
  2. Add permission policy (or just deploy a Docker Lambda which will add a policy automatically)
  3. Bootstrap account with v1.139.0 and check the IAM policy gets removed from ECR cdk-hnb659fds-container-assets-1234567890-eu-central-1 repository

What did you expect to happen?

Bootstrap process should NOT remove IAM policy from ECR cdk-hnb659fds-container-assets-1234567890-eu-central-1 repository

What actually happened?

Bootstrap process removed IAM policy from ECR cdk-hnb659fds-container-assets-1234567890-eu-central-1 repository

CDK CLI Version

1.139.0

Framework Version

No response

Node.js Version

v14.15.0

OS

Ubuntu 20.04

Language

Python

Language Version

No response

Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:7
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

3reactions
polothycommented, Feb 28, 2022

@NGL321 hello - we ran into this today and found the source of the problem. See this lambda doc.

Lambda needs ECR to have a policy on it to allow it to pull images. The “funny” thing that lambda does though is automatically add the policy to ECR:

If the Amazon ECR repository does not include these permissions, Lambda adds ecr:BatchGetImage and ecr:GetDownloadUrlForLayer to the container image repository permissions. Lambda can add these permissions only if the Principal calling Lambda has ecr:getRepositoryPolicy and ecr:setRepositoryPolicy permissions.

The problem is, on CDK bootstrap upgrade, the ECR policy that lambda added can be removed, thus breaking things for lambda (it cannot pull).

The fix seems to be to add this policy to ECR in the CDK bootstrap.

3reactions
scedwardcommented, Jan 18, 2022

We also saw this unexpected change after upgrading to the latest bootstrap stack. For a quick fix, making a trivial change to the Dockerfile of the affected Lambda was enough to change the asset hash and led to restoration of the lost policy statement.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bootstrapping - AWS Cloud Development Kit (AWS CDK) v2
Bootstrapping is the process of provisioning resources for the AWS CDK ... Do not delete and recreate an account's bootstrap stack if you...
Read more >
Permissions required for aws-cdk version 2 to deploy ...
I used aws-cdk version 2 and ran cdk bootstrap it showed me following error ... policy allows the ecr:CreateRepository action (Service: Ecr, ...
Read more >
Least deployment privilege with CDK Bootstrap
To start using the CDK, we must bootstrap our AWS account. Bootstrapping creates the resources required by the CDK on the account.
Read more >
AWS CDK Hack for AWS Academy Learner Lab
You have to use the customised bootstrap which removed all IAM resources. cdk bootstrap --template bootstrap-template.yaml. This template is ...
Read more >
Source - GitHub
[1.182.0](https://github.com/aws/aws-cdk/compare/v1.181.1...v1.182.0) (2022-12-07) ... **cli:** make ecr images immutable when created from cdk bootstrap ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(aws-eks): Exposing the Auto Scaling Group from a Nodegroup

Next page

(aws-lambda-nodejs): Use esbuild API instead of CLI for bundling