EcrMirror creating malformed role policy

Question

EcrMirror creating malformed role policy

doiron opened this issue 2 years ago · 4 comments

I'm trying to use EcrMirror in a new simple stack that only has two resources. Currently using aws-delivlib "version": "14.0.26".

a Secrets Manager Secret object for the Docker creds
EcrMirror to replicate jsii/superchain from docker to avoid throttling errors.

when I tried to synth it and deploy it fails due to a malformed role policy

notice the resource value "${Token[Fn"

not sure how to solve this, any help would be appreciated.

"RegistrySyncEcrPushImagesRoleDefaultPolicyD43C38C0": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
       ],
       "Effect": "Allow",
       "Resource": {
        "Ref": "DockerCreds87A00671"
       }
      },
      {
       "Action": "secretsmanager:GetSecretValue",
       "Effect": "Allow",
       "Resource": "${Token[Fn"  <---- here
      },
      {
       "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
       ],
       "Effect": "Allow",
       "Resource": [
        {...

full code sample TS file

export interface EcrProps extends DeploymentStackProps {}

/**
 * CloudFormation Stack containing EcrMirror logic to replicate
 *  docker jsii/superchain to ECR within the account.
 */
export class Ecr extends DeploymentStack {
  readonly ecrMirror: EcrMirror;

  constructor(scope: App, id: string, props: EcrProps) {
    super(scope, id, props);

    const credentials = new Secret(this, "foo", {
      secretName: "foo-credentials",
      description: "Contains the Docker Login Credentials for foo.",
    });

    // // docker image repo
    this.ecrMirror = new EcrMirror(this, "RegistrySync", {
      sources: [MirrorSource.fromDockerHub("jsii/superchain", "1-buster-slim-node16"), MirrorSource.fromDockerHub("python", "3.6")],
      dockerHubCredentials: {
        secret: credentials,
        usernameKey: "user",
        passwordKey: "pass",
      },
      schedule: Schedule.cron({
        minute: "0",
        hour: "23",
      }),
    });
  }

}

Answer 1 · 2022-07-13T22:02:57.000Z

just tried to update to the latest as of today "version": "14.0.28" with same results.

Answer 2 · 2022-07-13T22:29:28.000Z

I was able to overcome this by removing the Secret object from this stack and then leveraging Secret.fromSecretPartialArn for the DockerHubCredentials/secret field. Similar to what the unit tests appear to be doing in this package.

dockerHubCredentials: {
        secret: Secret.fromSecretPartialArn(
          this,
          "foo-credentials",
          "arn:aws:secretsmanager:us-east-1:111111111111:secret:foo-credentials",
        ),
        ...

however would be nice to be able to supply the Secret object directly instead as in my example.

Answer 3 · 2022-09-12T01:41:14.000Z

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label.

Answer 4 · 2022-09-20T01:36:29.000Z

Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label.