docs(ecr-assets): fixes documentation for cross-account access to dockerImageAsset ECR repository (#29766)

nickgardner-amazon · web-flow · commit abb5af642c5a · 2024-04-08T21:11:46.000Z
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ### Issue # (if applicable) #13327 (Only a docs update, does not fix the underlying issue) ### Reason for this change In cdkv2, it is no longer possible to add permissions on the repository for `dockerImageAsset`, but the docs were not updated. ### Description of changes Updates documentation for aws-ecr-assets. Mentions that it is no longer possible to grant repository permissions on `dockerImageAsset` for cross-account access and provides possible alternate routes. ### Description of how you validated changes Rebuild the affected doc. No, docs change only ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-ecr-assets/README.md b/packages/aws-cdk-lib/aws-ecr-assets/README.md
@@ -207,8 +207,7 @@ method. This will modify the IAM policy of the principal to allow it to
 pull images from this repository.
 
 If the pulling principal is not in the same account or is an AWS service that
-doesn't assume a role in your account (e.g. AWS CodeBuild), pull permissions
-must be granted on the __resource policy__ (and not on the principal's policy).
-To do that, you can use `asset.repository.addToResourcePolicy(statement)` to
-grant the desired principal the following permissions: "ecr:GetDownloadUrlForLayer",
+doesn't assume a role in your account (e.g. AWS CodeBuild), you must either copy the image to a new repository, or
+grant pull permissions on the resource policy of the repository. Since the repository is managed by the CDK bootstrap stack,
+the following permissions must be granted there, or granted manually on the repository: "ecr:GetDownloadUrlForLayer", 
 "ecr:BatchGetImage" and "ecr:BatchCheckLayerAvailability".
