Granting access to pull a DockerImageAsset #5983
Comments
misterjoshua
added
feature-request
SomayaB
added
@aws-cdk/assets
MrArnoldPalmer
added
docs/generated
|
@misterjoshua an instance of Keeping this open to track adding an example to the aws-ecr-assets repository readme. |
|
How do you grant permissions to My code looks similar to this: const image = new ecs.AssetImage(path.join(...)),
const container = taskDefinition.addContainer("container-name", {
image: image,
// ...
});
// How to add pull permissions to the aws-cdk/assets ecr repository without hardcoding it? |
|
@misterjoshua @peterjuras can you guys please provide some more information about your use case? Why do you need to grant pull permissions to these images? |
|
Hi, Sorry for not updating this, it was actually working automatically after some retries of starting the ecs task. Is there a delay on when the permissions are being applied by cdk? |
Allow using an existing `DockerImageAsset` object as a container image in order to enable direct access to `DockerImageAsset`s API such as accessing the ECR repository, the source hash or granting permissions. The reason this could not have been exposed through the normal `fromImageAsset` is that `ContainerImage` can be used multiple times (i.e. be bound to multiple container definitions), so there is no reliable way to allow users to access the asset. Related to #5791 and #5983
|
@eladb I was getting an access denied error when ECS was attempting to pull the image during deployment. const nodeImage = new ecrAssets.DockerImageAsset(this, "Image", {
directory: "../context"
});
const task = new ecs.TaskDefinition(this, 'Task', {
compatibility: ecs.Compatibility.EC2,
family: "MyTask",
});
nodeImage.repository.grantPull(task.obtainExecutionRole()); // This fixed the permissions error
const nodeContainer = task.addContainer("main", {
image: ecs.ContainerImage.fromEcrRepository(nodeImage.repository, nodeImage.sourceHash),
//...
});Your commit seems like it would solve my problem. |
Allow using an existing `DockerImageAsset` object as a container image in order to enable direct access to `DockerImageAsset`s API such as accessing the ECR repository, the source hash or granting permissions. The reason this could not have been exposed through the normal `fromImageAsset` is that `ContainerImage` can be used multiple times (i.e. be bound to multiple container definitions), so there is no reliable way to allow users to access the asset. Related to #5791 and #5983
|
This doesn't seem necessary anymore to use However for anyone coming here, I still got the same error and the reason was because the Image Repository was set with immutable tags. Changing that setting fixed my issue. 
|
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ecr-assets.DockerImageAsset.html
It doesn't seem clear how to grant services (like ECS) access to pull the docker image asset. An example would be helpful, as DockerImageAsset doesn't seem to have the same grant methods as many other constructs in the CDK.
This is a 📕 documentation issue
The text was updated successfully, but these errors were encountered: