(aws-codepipeline-actions): TagParameterContainerImage unusable cross-account #15070
Comments
danwiltshire
added
bug
|
Thanks for reporting @danwiltshire. Confirming I was able to reproduce it. I'm working on a fix. In the meantime, you should be able to unblock yourself by passing the const fargateTaskDefinition = new ecs.FargateTaskDefinition(this, 'ServiceTaskDefinition', {
executionRole: new iam.Role(serviceStack, 'ExecutionRole', {
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
roleName: 'my-name',
}),
});If you don't want to set a name yourself, you can pass |
skinny85
added
effort/small
When TagParameterContainerImage is used from a different acocunt than the service itself is in, it fails resolution, because the Task's execution Role does not have a physical name set by default. Create it with PhysicalName.GENERATE_IF_NEEDED, so that it assigns a name when accessed from a cross-account context. Fixes aws#15070
|
Hey @skinny85 thanks, this got me a bit further. I'm now getting another issue where the ECR policy principal is not valid. Error: Cause: The Solutions:
Synthed CFN: "FargatePipelineEcsDeployRepository70287658": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "<EXPLICIT_REPO_NAME>",
"RepositoryPolicyText": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::<ACCOUNT_NUMBER>:role/prod-appappexecutionrole0e3f44e5e1548be0860e"
]
]
}
}
}
],
"Version": "2012-10-17"
},
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": ".../FargatePipeline/EcsDeployRepository/Resource"
}
},Working policy: {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}Other notes:
Workaround const cfnRepository = appEcrRepo.node.defaultChild as ecr.CfnRepository;
cfnRepository.repositoryPolicyText = {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}If you need this in a new issue I'm happy to spin one up. |
|
Hmm, but the error you get and the resolution don't match each other...? {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_NUMBER>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}This does not contain a |
|
Correct, that seems to be the second available solution. If you were to take a role ARN and put an asterisk in, that works to. |
|
But an asterisk where? 🤔 Just tack it on randomly at the end of the Role ARN? |
|
Yeah pretty much. I wonder if ECR just doesn't allow granting access to roles? Looking at the AWS docs granting a role isn't listed: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html |
…15073) When TagParameterContainerImage is used from a different acocunt than the service itself is in, it fails resolution, because the Task's execution Role does not have a physical name set by default. Create it with PhysicalName.GENERATE_IF_NEEDED, so that it assigns a name when accessed from a cross-account context. Fixes #15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
@danwiltshire confirming I was able to reproduce this error. I'm working on a fix. |
|
I can confirm just adding a |
|
Hmm, so I think I know what the problem is. The issue is that, when using |
|
If you provide a Role that does exist in the Repository's resource policy, the deployment is successful. So ECR definitely does support Role-based resource policies. |
|
Yeah you're right, I just tried specifying a nonexistent role in a different account and it failed. As soon as I specify a role that exists, it works. |
|
This is quite the conundrum. Not sure exactly how to handle this from the CDK side. |
|
There is the option of granting access at the account level e.g. |
…ws#15073) When TagParameterContainerImage is used from a different acocunt than the service itself is in, it fails resolution, because the Task's execution Role does not have a physical name set by default. Create it with PhysicalName.GENERATE_IF_NEEDED, so that it assigns a name when accessed from a cross-account context. Fixes aws#15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ments When performing grants in ECR's Repository class for principals from other accounts, we put the ARN of the principal inside the Resource Policy of the Repository. However, ECR validates that all principals included in its Policy exist at the time of deploying the Repository, so if this cross-account principal was not created before the Repository, its deployment would fail. Detect that situation in the Repository class, and trust the entiure account of the principal if this situation happens. This was spotted by a customer when using the `TagParameterContainerImage` class. Fixes aws#15070
…ments (#16376) When performing grants in ECR's Repository class for principals from other accounts, we put the ARN of the principal inside the Resource Policy of the Repository. However, ECR validates that all principals included in its Policy exist at the time of deploying the Repository, so if this cross-account principal was not created before the Repository, its deployment would fail. Detect that situation in the Repository class, and trust the entiure account of the principal if this situation happens. This was spotted by a customer when using the `TagParameterContainerImage` class. Fixes #15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…ments (aws#16376) When performing grants in ECR's Repository class for principals from other accounts, we put the ARN of the principal inside the Resource Policy of the Repository. However, ECR validates that all principals included in its Policy exist at the time of deploying the Repository, so if this cross-account principal was not created before the Repository, its deployment would fail. Detect that situation in the Repository class, and trust the entiure account of the principal if this situation happens. This was spotted by a customer when using the `TagParameterContainerImage` class. Fixes aws#15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ments (aws#16376) When performing grants in ECR's Repository class for principals from other accounts, we put the ARN of the principal inside the Resource Policy of the Repository. However, ECR validates that all principals included in its Policy exist at the time of deploying the Repository, so if this cross-account principal was not created before the Repository, its deployment would fail. Detect that situation in the Repository class, and trust the entiure account of the principal if this situation happens. This was spotted by a customer when using the `TagParameterContainerImage` class. Fixes aws#15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ments (aws#16376) When performing grants in ECR's Repository class for principals from other accounts, we put the ARN of the principal inside the Resource Policy of the Repository. However, ECR validates that all principals included in its Policy exist at the time of deploying the Repository, so if this cross-account principal was not created before the Repository, its deployment would fail. Detect that situation in the Repository class, and trust the entiure account of the principal if this situation happens. This was spotted by a customer when using the `TagParameterContainerImage` class. Fixes aws#15070 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Using
TagParameterContainerImageas a property for a stack in a different account causes a resolution error.Reproduction Steps
What did you expect to happen?
Stack
my-appshould reference the ECR repo frommy-pipeline.What actually happened?
Error: Resolution error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'my-app/FargateService/TaskDef/ExecutionRole' in a cross-environment fashion, the resource's physical name must be explicit set or use 'PhysicalName.GENERATE_IF_NEEDED'.Environment
Other details
I'm using
ApplicationLoadBalancedFargateService.This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: