Open joepjoosten opened 5 days ago
Self-assigning this issue and will dive a little bit deeper here.
Hi @joepjoosten
For the 3rd tool - I think that tool should always aws ecr get-login ... | docker login ...
to ensure it's using correct permission.
For CDK
, we will investigate if we should explicitly docker logout
to reduce some other risk.
Thank you for the feedback.
Describe the bug
When using aws-cdk with other tools (e.g. serverless in a monorepo), using a docker deployment artifact that uses ECR to upload, the aws-cdk stays signed in with the created role for ECR (CustomCDKECRDeployment role). This causes issues when using other tools, that use a different ECR repository. They detect that docker is signed into the https://.dkr.ecr.eu-central-1.amazonaws.com repository, and don't login themselves. But the CustomCDKECRDeployment role is to restricted to use this login.
So it's best to logout after the CDK deployment process is done. This can be done with a
docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com
.I've also opened a ticket in the serverless project to do the same, so there is no conflict.
Related https://github.com/serverless/serverless/issues/12895
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
Logout to ECR(s) when done with deployment
Current Behavior
Stays logged in after deployment.
Reproduction Steps
Do a deployment with an docker asset that pushed to ECR repo. Try to push a docker image to another repository in the same account manually, or with another framework like serverless, without docker logout. This will not work, because the system is still logged in with the CustomCDKECRDeployment role.
Possible Solution
Logout out of the ECR(s) with
docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com
Additional Information/Context
No response
CDK CLI Version
2.143.0
Framework Version
No response
Node.js Version
node 22
OS
macos
Language
TypeScript
Language Version
No response
Other information
No response