New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(bootstrap): Bootstrapping with CDK v1.139.0 removes IAM policy from the ECR asset repository #18473
Comments
We also saw this unexpected change after upgrading to the latest bootstrap stack. For a quick fix, making a trivial change to the Dockerfile of the affected Lambda was enough to change the asset hash and led to restoration of the lost policy statement. |
@NGL321 hello - we ran into this today and found the source of the problem. See this lambda doc. Lambda needs ECR to have a policy on it to allow it to pull images. The "funny" thing that lambda does though is automatically add the policy to ECR:
The problem is, on CDK bootstrap upgrade, the ECR policy that lambda added can be removed, thus breaking things for lambda (it cannot pull). The fix seems to be to add this policy to ECR in the CDK bootstrap. |
Hi @NGL321, |
Seems the change is a collateral from the enablement of ECR Scan by default on the repository. This likely caused the repository policy to be re-written, and the Lambda-authored change to be removed. Definitely an awkward situation. |
Container Functions automatically add a policy to an ECR repository to allow Lambda to pull from it; however, when the ECR repository is rebootstrapped and has changed, the policy might be overwritten. Add the policy to the bootstrap stack, so we don't have to rely on Lambda to add it and it will survive rebootstraps. This introduces version 11 of the bootstrap stack. You do not need to upgrade to this version unless you are affected by this issue. Fixes #18473.
Container Functions automatically add a policy to an ECR repository to allow Lambda to pull from it; however, when the ECR repository is rebootstrapped and has changed, the policy might be overwritten. Add the policy to the bootstrap stack, so we don't have to rely on Lambda to add it and it will survive rebootstraps. This introduces version 11 of the bootstrap stack. You do not need to upgrade to this version unless you are affected by this issue. Fixes #18473. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
What is the problem?
Bootstrapping from
1.138.0
tov1.139.0
removes IAM policy from thecdk-hnb659fds-container-assets-1234567890-eu-central-1
ECR repository resulting in Lambdas being unable to run due to not able to access their images. The following policy was removed:resulting in the following Lambda error:
Reproduction Steps
v1.138.0
v1.139.0
and check the IAM policy gets removed from ECRcdk-hnb659fds-container-assets-1234567890-eu-central-1
repositoryWhat did you expect to happen?
Bootstrap process should NOT remove IAM policy from ECR
cdk-hnb659fds-container-assets-1234567890-eu-central-1
repositoryWhat actually happened?
Bootstrap process removed IAM policy from ECR
cdk-hnb659fds-container-assets-1234567890-eu-central-1
repositoryCDK CLI Version
1.139.0
Framework Version
No response
Node.js Version
v14.15.0
OS
Ubuntu 20.04
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: