From e2ae384243d7cbb04a2a1500a836d7e1af001311 Mon Sep 17 00:00:00 2001
From: Jonathan Goldwasser <jonathan@goldwasserexchange.be>
Date: Wed, 12 May 2021 14:43:04 +0200
Subject: [PATCH] fix(bootstrap): image publishing role doesn't have docker
 pull permissions

Using a common docker asset as base image for other docker assets requires
the image publishing role to have the `ecr:BatchGetImage`, `ecr:GetDownloadUrlForLayer`
and `ecr:InitiateLayerUpload` permissions.

Closes #14656
---
 packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
index b541401f930e7..5adfe74b5d2fe 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -279,6 +279,9 @@ Resources:
               - ecr:BatchCheckLayerAvailability
               - ecr:DescribeRepositories
               - ecr:DescribeImages
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+              - ecr:InitiateLayerUpload
             Resource:
               Fn::Sub: "${ContainerAssetsRepository.Arn}"
             Effect: Allow