-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aws-ecs] TaskDefinition that uses cross account ECR repository image throws an error #10233
Comments
We're also getting this issue trying to use a "deployer" AWS account which does cross-account deployment to our dev/prod env - but we opted for that deployer account to host our ECS repository - we are however looking into using the ecs-assets library - I assume this would resolve the problem as a workaround? |
This may be related/caused by this change that was included in v1.60.0. |
Hello @idm-ryou, @abbottdev, seems like there is already a pretty good explanation for the reason why this error occurs and solution to how to reference a cross account/region resource: https://stackoverflow.com/questions/62989129/resolution-error-cannot-use-resource-x-in-a-cross-environment-fashion-the-re. I would recommend using the same account/region. However, if you want to reuse the repository, you could deploy |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
For people who are want to solve this bug for cross-account ECR usage (as per original bug report), I can't find a way to set the name of the internally generated execution role for the task definition. However, if you create an empty role then the
However, note that CDK will create a ECR repository policy that explicitly references the cross-account execution role, and ECR will validate this when you set the policy. This creates a circular deployment dependency where the IAM role needs to be deployed before the ECR repository, but the IAM role is deployed with an ECS task definition that depends on the ECR repository. I believe you can break the circularity by doing an initial deployment with the (unused) IAM role, and then a second full deployment. Alternatively, I broke the circularity by forcing CDK to discard the over-constrained repository policy and setting my own using just the AWS account, like so:
In terms of security impact, for standard multiple-account use cases, It's hard to argue that there's any benefit to a policy that allows reads from only some roles in another account - the implication is that there are some roles in the other account which should be explicitly prohibited from accessing the repository and are also incapable of gaining access to one of the permitted roles, which suggests that the other account has multiple incompatible purposes. OTOH having a decoupled policy is a significant benefit for maintainability and deployability. |
It's been a while since this issue has been active. If you're finding this is still an issue on latest version, please create a new issue. Otherwise, I think it's a safe assumption that this has since been fixed |
|
On v1.60.0(current latest release v.1.62.0 too), a TaskDefinition that uses cross account ECR repository image throws an error.
On earlier v1.59.0, same code works fine.
Reproduction Steps
Use CDK v1.60.0
What did you expect to happen?
cdk synth
should succeeds like earlier v1.59.0What actually happened?
cdk synth
fails with an error.Full stack trace
Environment
Other
I suspect changes from #8280 affected this issue.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: