search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

aws-ecs: When adding the credentials to the RepositoryImage, CF tells the arn is too long #20139

Closed NiccoloOlivieriAchille closed 1 year ago

NiccoloOlivieriAchille commented 2 years ago

Describe the bug

Hi all,

I'm building a stack with a Fargate Container which takes an image from DockerHub. Because of the limitations I'm adding the credentials to the container. At synth time everything works great, but when I deploy (via CDK Pipeline, but I think it's the same for a cdk deploy) it throw an error

Expected Behavior

Smooth deploy of the container, using the credentials to pull it from DockerHub

Current Behavior

On synth time everything works fine... At deploy time it throws this error:

Resource handler returned message: "Invalid request provided: Create TaskDefinition: The repository credentials parameter specified for container '<my container>' is invalid. Parameter names can include up to 255 (uppercase and lowercase), numbers, hyphens, and underscores are allowed. Spaces are not allowed. (Service: AmazonECS; Status Code: 400; Error Code: ClientException; Request ID: 206bee8f-2149-4ce5-bc03-2c17dec356d5; Proxy: null)" (RequestToken: 1177740e-7268-9ff0-65bd-2d50e5479ff9, HandlerErrorCode: InvalidRequest)

Reproduction Steps

import { Duration, Fn, RemovalPolicy, Stack, StackProps, Token } from 'aws-cdk-lib';
import {
  AwsLogDriver,
  Cluster,
  ContainerDependencyCondition,
  ContainerImage,
  FargateService,
  FargateTaskDefinition,
  Secret,
} from 'aws-cdk-lib/aws-ecs';

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const taskDefinition = new FargateTaskDefinition(this, 'TaskDefinition');
    const container = taskDefinition.addContainer('container', {
      image: ContainerImage.fromRegistry('httpd', {
        credentials: Secret.fromSecretNameV2(scope, 'DockerConfig', 'docker'),
      }),
    });
  }
}

Possible Solution

I think the problem concerns how CDK builds the ARN "dinamically"... probably forcing the built with real region and account id fixes... right now I've found a possible solution / workaround by adding only the name of the secret (but the secret must be in the same region / account of the taskDefinition

Workaround adding only the secret name:

import { Duration, Fn, RemovalPolicy, Stack, StackProps, Token } from 'aws-cdk-lib';
import {
  AwsLogDriver,
  Cluster,
  ContainerDependencyCondition,
  ContainerImage,
  FargateService,
  FargateTaskDefinition,
  Secret,
} from 'aws-cdk-lib/aws-ecs';

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const secret = Secret.fromSecretNameV2(scope, 'DockerConfig', 'docker');
    const taskDefinition = new FargateTaskDefinition(this, 'TaskDefinition');
    const container = taskDefinition.addContainer('container', {
      image: ContainerImage.fromRegistry('httpd'),
    });
    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
    // @ts-ignore
    container.imageConfig.repositoryCredentials = {
      credentialsParameter: secret.secretName,
    };
    secret.grantRead(taskDefinition.obtainExecutionRole());
  }
}

Additional Information/Context

No response

CDK CLI Version

2.22.0

Framework Version

No response

Node.js Version

14.19.1

OS

windows

Language

Typescript

Language Version

4.6.3

Other information

No response

github-actions[bot] commented 1 year ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

NiccoloOlivieriAchille commented 1 year ago

This problem persists as of today... any plan to handle it?