Aws-cdk: Granting access to pull a DockerImageAsset

Created on 27 Jan 2020  路  5Comments  路  Source: aws/aws-cdk

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ecr-assets.DockerImageAsset.html

It doesn't seem clear how to grant services (like ECS) access to pull the docker image asset. An example would be helpful, as DockerImageAsset doesn't seem to have the same grant methods as many other constructs in the CDK.

This is a 馃摃 documentation issue

@aws-cdassets @aws-cdaws-ecr docgenerated feature-request guidance
Source
picture misterjoshua
👍2

Most helpful comment

@eladb I was getting an access denied error when ECS was attempting to pull the image during deployment.

const nodeImage = new ecrAssets.DockerImageAsset(this, "Image", {
  directory: "../context"
});
const task = new ecs.TaskDefinition(this, 'Task', {
  compatibility: ecs.Compatibility.EC2,
  family: "MyTask",
});
nodeImage.repository.grantPull(task.obtainExecutionRole()); // This fixed the permissions error
const nodeContainer = task.addContainer("main", {
  image: ecs.ContainerImage.fromEcrRepository(nodeImage.repository, nodeImage.sourceHash),
//...
});

Your commit seems like it would solve my problem.

picture misterjoshua on 4 Feb 2020
👍2

All 5 comments

@misterjoshua an instance of DockerImageAsset has a property repository which is of type IRepository. From here you have access to the grant, grantPull, and grantPullPush methods.

Keeping this open to track adding an example to the aws-ecr-assets repository readme.

MrArnoldPalmer picture MrArnoldPalmer on 30 Jan 2020
👍1

How do you grant permissions to ecs.AssetImage types? I'm using docker image assets from ecs, but they don't appear to have a repository property.

My code looks similar to this:

const image = new ecs.AssetImage(path.join(...)),
const container = taskDefinition.addContainer("container-name", {
  image: image,
  // ...
});
// How to add pull permissions to the aws-cdk/assets ecr repository without hardcoding it?
peterjuras picture peterjuras on 1 Feb 2020
👍1

@misterjoshua @peterjuras can you guys please provide some more information about your use case? Why do you need to grant pull permissions to these images?

eladb picture eladb on 4 Feb 2020

Hi,

Sorry for not updating this, it was actually working automatically after some retries of starting the ecs task.

Is there a delay on when the permissions are being applied by cdk?

peterjuras picture peterjuras on 4 Feb 2020

@eladb I was getting an access denied error when ECS was attempting to pull the image during deployment.

const nodeImage = new ecrAssets.DockerImageAsset(this, "Image", {
  directory: "../context"
});
const task = new ecs.TaskDefinition(this, 'Task', {
  compatibility: ecs.Compatibility.EC2,
  family: "MyTask",
});
nodeImage.repository.grantPull(task.obtainExecutionRole()); // This fixed the permissions error
const nodeContainer = task.addContainer("main", {
  image: ecs.ContainerImage.fromEcrRepository(nodeImage.repository, nodeImage.sourceHash),
//...
});

Your commit seems like it would solve my problem.

misterjoshua picture misterjoshua on 4 Feb 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ababra picture ababra  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
vgribok picture vgribok  路  3Comments
v-do picture v-do  路  3Comments
eladb picture eladb  路  3Comments