aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

aws-cdk: Docker logout after deployment #31943

Open joepjoosten opened 5 days ago

joepjoosten commented 5 days ago

Describe the bug

When using aws-cdk with other tools (e.g. serverless in a monorepo), using a docker deployment artifact that uses ECR to upload, the aws-cdk stays signed in with the created role for ECR (CustomCDKECRDeployment role). This causes issues when using other tools, that use a different ECR repository. They detect that docker is signed into the https://.dkr.ecr.eu-central-1.amazonaws.com repository, and don't login themselves. But the CustomCDKECRDeployment role is to restricted to use this login.

So it's best to logout after the CDK deployment process is done. This can be done with a docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com.

I've also opened a ticket in the serverless project to do the same, so there is no conflict.

Related https://github.com/serverless/serverless/issues/12895

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

Logout to ECR(s) when done with deployment

Current Behavior

Stays logged in after deployment.

Reproduction Steps

Do a deployment with an docker asset that pushed to ECR repo. Try to push a docker image to another repository in the same account manually, or with another framework like serverless, without docker logout. This will not work, because the system is still logged in with the CustomCDKECRDeployment role.

Possible Solution

Logout out of the ECR(s) with docker logout https://<account-id>.dkr.ecr.eu-central-1.amazonaws.com

Additional Information/Context

No response

CDK CLI Version

2.143.0

Framework Version

No response

Node.js Version

node 22

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 5 days ago

Self-assigning this issue and will dive a little bit deeper here.

pahud commented 5 days ago

Hi @joepjoosten

For the 3rd tool - I think that tool should always aws ecr get-login ... | docker login ... to ensure it's using correct permission.

For CDK, we will investigate if we should explicitly docker logout to reduce some other risk.

Thank you for the feedback.