Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to grantPull permission ECR repository (may be bug in doc)

See original GitHub issue

I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
What is the current behavior? If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

AWS CDK (CF) fails with following error message: “Invalid parameter at ‘PolicyText’ failed to satisfy constraint: ‘Invalid repository policy provided’ (Service: AmazonECR; Status Code: 400; Error Code: InvalidParameterException; Request ID: xxx)”

const repo = new ecr.Repository(parent, 'Repo', {
   repositoryName: process.env.REPO
})

repo.grantPull(new iam.ServicePrincipal('codebuild.amazonaws.com'))

However, it works perfectly for the following code

const repo = new ecr.Repository(parent, 'Repo', {
      repositoryName: process.env.REPO
})
repo.addToResourcePolicy(policy())

function policy(): iam.PolicyStatement {
   const policy = new iam.PolicyStatement()
   policy.addPrincipals(new iam.ServicePrincipal('codebuild.amazonaws.com'))
   policy.addActions(
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability"
   )
   return policy
}

What is the expected behavior (or behavior of feature suggested)?

My understanding of grantPull(...) as a simplification of policy management as it is defined by Repository Policy

May be grantPull(...) works correctly and this is only a bug in doc

What is the motivation / use case for changing the behavior or adding this feature?
Please tell us about your environment:
- CDK CLI Version: 1.3.0
- Module Version: 1.3.0
- OS: OSX Mojave
- Language: TypeScript
Other information

CodeBuildServerless: deploying...
CodeBuildServerless: creating CloudFormation changeset...
 0/3 | 12:36:08 PM | CREATE_IN_PROGRESS   | AWS::ECR::Repository | Repo (Repo02AC86CF)
 0/3 | 12:36:08 PM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata   | CDKMetadata
 0/3 | 12:36:08 PM | CREATE_IN_PROGRESS   | AWS::ECR::Repository | Repo (Repo02AC86CF) Resource creation Initiated
 1/3 | 12:36:09 PM | CREATE_FAILED        | AWS::ECR::Repository | Repo (Repo02AC86CF) Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided' (Service: AmazonECR; Status Code: 400; Error Code: InvalidParameterException; Request ID: xxx
	new Repository (/Users/dmitry.kolesnikov/devel/erlang/dev/code-build-serverless/node_modules/@aws-cdk/aws-ecr/lib/repository.ts:343:22)
	\_ CodeBuildServerless (/Users/dmitry.kolesnikov/devel/erlang/dev/code-build-serverless/aws.ts:32:17)
	\_ /Users/dmitry.kolesnikov/devel/erlang/dev/code-build-serverless/aws.ts:13:9
	\_ Array.forEach (<anonymous>)
	\_ _ (/Users/dmitry.kolesnikov/devel/erlang/dev/code-build-serverless/aws.ts:10:7)
	\_ Object.<anonymous> (/Users/dmitry.kolesnikov/devel/erlang/dev/code-build-serverless/aws.ts:41:1)
	\_ Module._compile (internal/modules/cjs/loader.js:759:30)
	\_ Module.m._compile (/usr/local/lib/node_modules/ts-node/src/index.ts:473:23)
	\_ Module._extensions..js (internal/modules/cjs/loader.js:770:10)
	\_ Object.require.extensions.<computed> [as .ts] (/usr/local/lib/node_modules/ts-node/src/index.ts:476:12)
	\_ Module.load (internal/modules/cjs/loader.js:628:32)
	\_ Function.Module._load (internal/modules/cjs/loader.js:555:12)
	\_ Function.Module.runMain (internal/modules/cjs/loader.js:824:10)
	\_ Object.<anonymous> (/usr/local/lib/node_modules/ts-node/src/bin.ts:158:12)
	\_ Module._compile (internal/modules/cjs/loader.js:759:30)
	\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:770:10)
	\_ Module.load (internal/modules/cjs/loader.js:628:32)
	\_ Function.Module._load (internal/modules/cjs/loader.js:555:12)
	\_ Function.Module.runMain (internal/modules/cjs/loader.js:824:10)
	\_ internal/main/run_main_module.js:17:11
 2/3 | 12:36:10 PM | CREATE_FAILED        | AWS::CDK::Metadata   | CDKMetadata Resource creation cancelled
 2/3 | 12:36:11 PM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | CodeBuildServerless The following resource(s) failed to create: [Repo02AC86CF, CDKMetadata]. . Rollback requested by user.
 2/3 | 12:36:16 PM | DELETE_IN_PROGRESS   | AWS::CDK::Metadata   | CDKMetadata
 2/3 | 12:36:16 PM | DELETE_SKIPPED       | AWS::ECR::Repository | Repo (Repo02AC86CF)
 3/3 | 12:36:17 PM | DELETE_COMPLETE      | AWS::CDK::Metadata   | CDKMetadata
 4/3 | 12:36:18 PM | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack | CodeBuildServerless

 ❌  CodeBuildServerless failed: Error: The stack named CodeBuildServerless failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
    at /usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:163:13
    at processTicksAndRejections (internal/process/task_queues.js:89:5)
    at waitFor (/usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:76:20)
    at Object.deployStack (/usr/local/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:98:3)
    at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:121:24)
    at main (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:192:16)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:150:9)
The stack named CodeBuildServerless failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
make: *** [publish] Error 1