copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

task run ECR permissions dropped

Open benjaminpottier opened this issue 3 years ago • 2 comments

We're using the copilot (still on version 1.17.0) task run command to run a task which does some database updates for us.

The issue we're having is we've changed the permissions on the ECR registry to include another AWS account (our production account) since we're doing an immutable build deployment. However, the change (which we made in the console) gets reverted every time we run the command.

Is there a better way to change the ECR registry permissions to permanently include another AWS account?

benjaminpottier avatar Oct 06 '22 18:10 benjaminpottier

Hi @benjaminpottier !

Am I understanding correctly that you're adding the permission to the other AWS account, so that you can pull the images from the other account?

One option that I can think of is creating an ECR repository in the other AWS account and possibly enabling ECR private image replication to ensure the same image is available in the other repository.

Another option, that I can think of to avoid the override is actually creating the task not using task run but with job init. You can set the scheduled job to never trigger with:

on:
  schedule: none

https://aws.github.io/copilot-cli/docs/manifest/scheduled-job/#on-schedule You can add the extra permission to the job's ECR repository, and then trigger the job whenever you want with the copilot job run command that was introduced in v1.20.

I believe that should preserve the ECR repository settings.

efekarakus avatar Oct 06 '22 23:10 efekarakus

Hi @benjaminpottier !

Am I understanding correctly that you're adding the permission to the other AWS account, so that you can pull the images from the other account?

One option that I can think of is creating an ECR repository in the other AWS account and possibly enabling ECR private image replication to ensure the same image is available in the other repository.

Another option, that I can think of to avoid the override is actually creating the task not using task run but with job init. You can set the scheduled job to never trigger with:

on:
  schedule: none

https://aws.github.io/copilot-cli/docs/manifest/scheduled-job/#on-schedule You can add the extra permission to the job's ECR repository, and then trigger the job whenever you want with the copilot job run command that was introduced in v1.20.

I believe that should preserve the ECR repository settings.

I think creating a scheduled job probably makes the most sense. Thank you!

benjaminpottier avatar Oct 07 '22 11:10 benjaminpottier

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Sep 11 '23 00:09 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!

github-actions[bot] avatar Sep 26 '23 00:09 github-actions[bot]