@go-to-k/cdkd 0.117.1 → 0.118.0

package/dist/cli.js

@@ -7901,11 +7901,12 @@ var DynamoDBTableProvider = class {
 *    is surfaced for BOTH the LOCAL replica AND cross-region replicas
 *    via per-region SDK clients (cached in `regionalClientCache` for
 *    the deploy run). Issue #389 lifted the v1 LOCAL-only limitation.
-*  - Cross-region replica Tags propagation (Issue #389): when the
-*    update path detects a Tags-only diff on a non-local replica,
-*    cdkd resolves the replica's table ARN by swapping the region
-*    segment of the local ARN and issues `TagResource` /
-*    `UntagResource` against a per-region client.
+*  - Cross-region replica Tags propagation (Issue #389 / #441):
+*    BOTH `create()` and `update()` resolve each non-local replica's
+*    table ARN by swapping the region segment of the local ARN and
+*    issue `TagResource` / `UntagResource` against a per-region
+*    client. The shared helper `applyCrossRegionReplicaTagsDiff`
+*    centralizes the diff + best-effort WARN-on-failure contract.
 */
 var DynamoDBGlobalTableProvider = class {
 	dynamoDBClient;
@@ -8114,6 +8115,13 @@ var DynamoDBGlobalTableProvider = class {
 				if (!region || region === currentRegion) continue;
 				await this.addReplica(tableName, replica, region, logicalId);
 			}
+			for (const replica of replicas) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				const replicaTags = replica["Tags"];
+				if (!replicaTags || replicaTags.length === 0) continue;
+				await this.applyCrossRegionReplicaTagsDiff(tableInfo.tableArn, region, void 0, replicaTags, tableName);
+			}
 			if (properties["TimeToLiveSpecification"]) {
 				const ttl = properties["TimeToLiveSpecification"];
 				const attributeName = ttl["AttributeName"];
@@ -8299,6 +8307,8 @@ var DynamoDBGlobalTableProvider = class {
 				const region = replica["Region"];
 				if (!region || region === currentRegion) continue;
 				await this.addReplica(physicalId, replica, region, logicalId);
+				const newReplicaTags = replica["Tags"];
+				await this.applyCrossRegionReplicaTagsDiff(tableArn, region, void 0, newReplicaTags, physicalId);
 				const newReadAutoScaling = (replica["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
 				if (newBilling === "PROVISIONED" && newReadAutoScaling) {
 					const regionalAutoScalingClient = this.getRegionalAutoScalingClient(region);
@@ -8311,16 +8321,7 @@ var DynamoDBGlobalTableProvider = class {
 				const oldReplica = (previousProperties["Replicas"] ?? []).find((r) => r["Region"] === region);
 				const oldReplicaTags = oldReplica?.["Tags"];
 				const newReplicaTags = replica["Tags"];
-				if (!deepEqual$1(oldReplicaTags, newReplicaTags)) if (tableArn) {
-					const replicaArn = this.replicaArnForRegion(tableArn, region);
-					if (replicaArn) try {
-						const regionalClient = this.getRegionalClient(region);
-						await this.applyTagDiffOnClient(regionalClient, replicaArn, oldReplicaTags, newReplicaTags);
-					} catch (tagErr) {
-						this.logger.warn(`Could not apply Tags diff to cross-region replica ${region} of ${physicalId}: ${tagErr instanceof Error ? tagErr.message : String(tagErr)}. The replica's Tags state will surface as drift until the next successful deploy.`);
-					}
-					else this.logger.warn(`Could not derive replica ARN for region ${region} from ${tableArn} — skipping Tags propagation for ${physicalId}`);
-				} else this.logger.warn(`Local DescribeTable returned no TableArn — cannot propagate Tags to cross-region replica ${region} of ${physicalId}`);
+				await this.applyCrossRegionReplicaTagsDiff(tableArn, region, oldReplicaTags, newReplicaTags, physicalId);
 				const oldReadAutoScaling = (oldReplica?.["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
 				const newReadAutoScaling = (replica["ReadProvisionedThroughputSettings"] ?? {})["ReadCapacityAutoScalingSettings"];
 				const effectiveNewReadAutoScaling = newBilling === "PAY_PER_REQUEST" ? void 0 : newReadAutoScaling;
@@ -8439,10 +8440,49 @@ var DynamoDBGlobalTableProvider = class {
 		await this.applyTagDiffOnClient(this.dynamoDBClient, tableArn, oldTagsRaw, newTagsRaw);
 	}
 	/**
+	* Propagate a per-replica Tags diff to ONE cross-region replica via a
+	* per-region client (Issue #389 / #441 — closes the create-side gap).
+	* Centralizes the common shape used by BOTH `create()` (`oldTags`
+	* undefined → every new tag is an add) and `update()` (per-replica
+	* modify path's old-vs-new diff). Best-effort: a failure here logs at
+	* WARN naming the offending region + ARN + reason and the deploy
+	* continues — the cross-region Tags state will surface as drift on
+	* the next run (or `cdkd drift --revert`) rather than aborting the
+	* deploy mid-flight. Mirrors the autoscaling diff's failure contract
+	* (PR #393).
+	*
+	* `tableArn` is the LOCAL replica's table ARN (returned by the
+	* post-create `waitForTableActive` or the inline `DescribeTable` in
+	* `update()`); the helper swaps the region segment via
+	* `replicaArnForRegion` before issuing `TagResource` / `UntagResource`
+	* against the per-region client.
+	*
+	* No-op when `oldTags` deep-equals `newTags` — the caller is allowed
+	* to invoke unconditionally without first diffing.
+	*/
+	async applyCrossRegionReplicaTagsDiff(tableArn, region, oldTags, newTags, physicalIdForLogs) {
+		if (deepEqual$1(oldTags, newTags)) return;
+		if (!tableArn) {
+			this.logger.warn(`Local DescribeTable returned no TableArn — cannot propagate Tags to cross-region replica ${region} of ${physicalIdForLogs}`);
+			return;
+		}
+		const replicaArn = this.replicaArnForRegion(tableArn, region);
+		if (!replicaArn) {
+			this.logger.warn(`Could not derive replica ARN for region ${region} from ${tableArn} — skipping Tags propagation for ${physicalIdForLogs}`);
+			return;
+		}
+		try {
+			const regionalClient = this.getRegionalClient(region);
+			await this.applyTagDiffOnClient(regionalClient, replicaArn, oldTags, newTags);
+		} catch (tagErr) {
+			this.logger.warn(`Could not apply Tags diff to cross-region replica ${region} of ${physicalIdForLogs}: ${tagErr instanceof Error ? tagErr.message : String(tagErr)}. The replica's Tags state will surface as drift until the next successful deploy.`);
+		}
+	}
+	/**
 	* Apply a Tags diff against the given `DynamoDBClient` (which may be
 	* the local client or a per-region client returned by
 	* `getRegionalClient`). Used by the local-replica path AND the
-	* cross-region replica Tags propagation path (Issue #389).
+	* cross-region replica Tags propagation path (Issue #389 / #441).
 	*/
 	async applyTagDiffOnClient(client, tableArn, oldTagsRaw, newTagsRaw) {
 		const toMap = (tags) => {
@@ -8732,9 +8772,12 @@ var DynamoDBGlobalTableProvider = class {
 	*
 	* Per-replica sub-specifications (`ContributorInsightsSpecification` /
 	* `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
-	* are surfaced only for the LOCAL replica. Cross-region replicas
-	* require per-region SDK clients (`new DynamoDBClient({region})`),
-	* deferred to a follow-up PR.
+	* are surfaced for BOTH the LOCAL replica AND cross-region replicas
+	* via per-region SDK clients cached in `regionalClientCache` (Issue
+	* #389 lifted the v1 LOCAL-only limitation; the per-replica reads
+	* happen in `readReplicaSubSpecs` below). Each cross-region call is
+	* best-effort — a permissions gap in one region omits the offending
+	* key rather than aborting the whole drift read.
 	*/
 	async readCurrentState(physicalId, _logicalId, _resourceType) {
 		try {
@@ -37254,8 +37297,11 @@ function buildSubstitutionContextFromImageContext(context) {
 *     `physicalId`, and `Fn::GetAtt: [<Repo>, 'RepositoryUri']` shapes
 *     are resolved via the same state record.
 *
-* Tier 3 (cross-account / cross-region pull) is deferred — `pullEcrImage`
-* surfaces the same workaround pointer it already does.
+* Cross-account / cross-region pull (#455): `pullEcrImage` auto-detects
+* cross-account from `sts:GetCallerIdentity` and authenticates against
+* the URI's region directly. Pass `--ecr-role-arn <arn>` when the caller
+* does not already have cross-account `ecr:GetAuthorizationToken` /
+* `ecr:BatchGetImage` access on the target repository.
 */
 function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
 	const getAttImage = tryResolveImageGetAtt(raw, resources, context);
@@ -37926,16 +37972,26 @@ function redactAwsCredentialsInArgs(args) {
 //#endregion
 //#region src/local/ecr-puller.ts
 /**
-* ECR pull fallback for `cdkd local invoke` against deployed container
-* Lambdas (PR 5, D5.2). When `Code.ImageUri` resolves to an ECR URI but
+* ECR pull fallback for `cdkd local invoke` / `cdkd local start-api` /
+* `cdkd local run-task`. When the image URI resolves to an ECR repo but
 * doesn't match any cdk.out asset (typical when invoking a stack
-* deployed elsewhere), cdkd attempts `docker pull` against the same
-* account/region.
-*
-* **Same-account / same-region only**:
-*   - Cross-account requires AssumeRole + a different ECR client. Hard
-*     error with a pointer at the deferred follow-up PR.
-*   - Cross-region requires a region-aware ECR client. Same hard error.
+* deployed elsewhere or sharing a centralized registry), cdkd
+* authenticates against the target registry and runs `docker pull`.
+*
+* **Cross-account / cross-region** (#455):
+*   - Same-account, same-region: fast path. No STS hop. The default
+*     credential chain is used directly for `ecr:GetAuthorizationToken`.
+*   - `ecrRoleArn` is provided: `sts:AssumeRole` is issued via the
+*     default credential chain to obtain temporary credentials for the
+*     target account. The resulting credentials authenticate the ECR
+*     client (regardless of region — the ECR client is built for the
+*     URI's region, which can differ from the caller's profile region).
+*   - Cross-account, NO `ecrRoleArn`: cdkd falls through to the
+*     default credential chain. This works when the caller has been
+*     granted cross-account `ecr:GetAuthorizationToken` +
+*     `ecr:BatchGetImage` permissions on the target repository via an
+*     IAM policy; otherwise AWS rejects the call with `AccessDenied`
+*     and the user is pointed at `--ecr-role-arn`.
 *
 * The `--no-pull` semantics (C3 in the design doc):
 *   - When NOT set: `ecrLogin` + `docker pull <uri>`.
@@ -37962,34 +38018,87 @@ function parseEcrUri(imageUri) {
 	};
 }
 /**
-* Pull (or verify locally cached) a container Lambda image from ECR.
+* Module-level cache for STS-issued AssumeRole credentials, keyed by
+* `(ecrRoleArn, callerRegion)`. Closes the reviewer's MAJOR finding: ECS
+* run-task with N containers under one `--ecr-role-arn` would otherwise issue
+* N× `AssumeRole` and N× `GetCallerIdentity` for identical credentials valid
+* for 3600s. The cache keeps a 5-minute safety margin against the recorded
+* `Expiration` so STS-side / local-clock skew never lets a stale entry through.
 *
-* Verifies same-account / same-region against the caller's STS identity
-* before issuing any docker command. Returns the image URI the caller
-* should pass to `docker run` (same as the input — no rewriting).
+* Cache key is intentionally `(roleArn, region)` rather than full caller
+* identity — STS issues per-region session creds, and a switch of `--region`
+* between two `local invoke` calls in the same process must re-issue.
+*
+* NOT cleared on process exit — Node's module scope evaporates with the
+* process, and no inter-process sharing is desired (each `cdkd local invoke`
+* is its own isolated runtime).
+*/
+const ASSUMED_ROLE_CACHE = /* @__PURE__ */ new Map();
+/**
+* Module-level cache for `STS:GetCallerIdentity`. The result is identity-only
+* (`Account`) and invariant for the lifetime of the process under one set of
+* default credentials. Keyed by `callerRegion` to avoid a cross-region leak
+* when the caller flips `AWS_REGION` mid-process (STS is global but the SDK
+* uses regional endpoints; the result is invariant in practice, but we key
+* on region for safety).
+*/
+const CALLER_IDENTITY_CACHE = /* @__PURE__ */ new Map();
+/** 5-minute safety margin against the recorded STS expiration timestamp. */
+const STS_CREDENTIAL_SAFETY_MARGIN_MS = 300 * 1e3;
+function isCredentialFresh(creds) {
+	if (!creds.expiration) return false;
+	return creds.expiration.getTime() - Date.now() > STS_CREDENTIAL_SAFETY_MARGIN_MS;
+}
+/**
+* Pull (or verify locally cached) a container image from ECR.
+*
+* Auto-detects cross-account from `STS:GetCallerIdentity` and assumes
+* the supplied role when set. Returns the image URI the caller should
+* pass to `docker run` (same as the input — no rewriting).
 */
 async function pullEcrImage(imageUri, options) {
 	const logger = getLogger().child("ecr-puller");
 	const parsed = parseEcrUri(imageUri);
 	if (!parsed) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is not an ECR URI. cdkd local invoke v1 only authenticates against ECR for the deployed-image fallback path.`);
-	const sts = new STSClient({ region: parsed.region });
-	let callerAccount;
-	try {
-		const identity = await sts.send(new GetCallerIdentityCommand({}));
-		if (!identity.Account) throw new LocalInvokeBuildError("STS GetCallerIdentity returned no Account. Verify your AWS credentials.");
-		callerAccount = identity.Account;
-	} finally {
-		sts.destroy();
-	}
-	if (callerAccount !== parsed.accountId) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is in account ${parsed.accountId}, but the caller is ${callerAccount}. Cross-account ECR pull is not supported in cdkd local invoke v1 — deferred to a follow-up PR. Workaround: assume a role in the target account before invoking, or build the image locally with \`cdkd local invoke -a cdk.out\` (no ECR pull).`);
 	const callerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
-	if (callerRegion && callerRegion !== parsed.region) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is in region ${parsed.region}, but the caller's region is ${callerRegion}. Cross-region ECR pull is not supported in cdkd local invoke v1 — deferred to a follow-up PR. Workaround: re-run with AWS_REGION=${parsed.region} set, or build the image locally with -a cdk.out.`);
 	if (options.skipPull) {
 		logger.info(`Skipping ECR pull (--no-pull). Verifying ${imageUri} is in local cache...`);
 		await verifyImageInLocalCache(imageUri);
 		return imageUri;
 	}
-	const ecr = new ECRClient({ region: parsed.region });
+	const callerIdentityKey = callerRegion ?? "_unset";
+	let callerAccount = CALLER_IDENTITY_CACHE.get(callerIdentityKey);
+	if (callerAccount === void 0) {
+		const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+		try {
+			const identity = await sts.send(new GetCallerIdentityCommand({}));
+			if (!identity.Account) throw new LocalInvokeBuildError("STS GetCallerIdentity returned no Account. Verify your AWS credentials.");
+			callerAccount = identity.Account;
+			CALLER_IDENTITY_CACHE.set(callerIdentityKey, callerAccount);
+		} finally {
+			sts.destroy();
+		}
+	}
+	const crossAccount = callerAccount !== parsed.accountId;
+	const crossRegion = callerRegion !== void 0 && callerRegion !== parsed.region;
+	let assumed;
+	if (options.ecrRoleArn) {
+		const cacheKey = `${options.ecrRoleArn}|${callerRegion ?? "_unset"}`;
+		const cached = ASSUMED_ROLE_CACHE.get(cacheKey);
+		if (cached && isCredentialFresh(cached)) {
+			assumed = cached;
+			logger.debug(`Reusing cached AssumeRole credentials for ${options.ecrRoleArn}`);
+		} else {
+			assumed = await assumeRoleForEcr(options.ecrRoleArn, callerRegion, logger);
+			ASSUMED_ROLE_CACHE.set(cacheKey, assumed);
+			logger.info(`Assumed role ${options.ecrRoleArn} for ECR pull (account=${parsed.accountId}, region=${parsed.region})`);
+		}
+	} else if (crossAccount) logger.info(`Cross-account ECR pull: image account ${parsed.accountId} != caller ${callerAccount}. Using the caller's credentials; pass --ecr-role-arn <arn> if AWS rejects with AccessDenied.`);
+	if (crossRegion) logger.info(`Cross-region ECR pull: image region ${parsed.region} != caller ${callerRegion ?? "(unset)"}. Authenticating against the image region directly.`);
+	const ecr = new ECRClient({
+		region: parsed.region,
+		...assumed && { credentials: assumed }
+	});
 	try {
 		await ecrLogin(ecr, parsed.accountId, parsed.region);
 	} finally {
@@ -38004,10 +38113,39 @@ async function pullEcrImage(imageUri, options) {
 	return imageUri;
 }
 /**
-* Authenticate the local docker daemon against the same-account ECR
-* registry. Mirrors `DockerAssetPublisher.ecrLogin` but stays in this
-* module so the local-invoke path doesn't depend on the publisher's
-* larger surface area.
+* Assume the supplied role via the SDK default credential chain and
+* return the resulting temporary credentials. The STS client is built
+* with the caller's profile region (or unset) — STS is a global
+* service so the region is informational, but threading it through
+* mirrors the convention used by `src/utils/role-arn.ts`.
+*/
+async function assumeRoleForEcr(roleArn, callerRegion, logger) {
+	logger.debug(`Assuming role ${roleArn} for ECR pull...`);
+	const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+	try {
+		const creds = (await sts.send(new AssumeRoleCommand({
+			RoleArn: roleArn,
+			RoleSessionName: `cdkd-local-ecr-${Date.now()}`,
+			DurationSeconds: 3600
+		}))).Credentials;
+		if (!creds || !creds.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new LocalInvokeBuildError(`AssumeRole(${roleArn}) returned no usable credentials. Verify the role's trust policy allows your identity to assume it.`);
+		return {
+			accessKeyId: creds.AccessKeyId,
+			secretAccessKey: creds.SecretAccessKey,
+			sessionToken: creds.SessionToken,
+			...creds.Expiration && { expiration: creds.Expiration }
+		};
+	} catch (err) {
+		if (err instanceof LocalInvokeBuildError) throw err;
+		throw new LocalInvokeBuildError(`Failed to assume role ${roleArn} for ECR pull: ${err instanceof Error ? err.message : String(err)}. Verify the role exists and its trust policy permits the caller's identity to assume it.`);
+	} finally {
+		sts.destroy();
+	}
+}
+/**
+* Authenticate the local docker daemon against the target ECR registry.
+* Mirrors `DockerAssetPublisher.ecrLogin` but stays in this module so the
+* local-invoke path doesn't depend on the publisher's larger surface area.
 */
 async function ecrLogin(client, accountId, region) {
 	getLogger().child("ecr-puller").debug(`ECR login (account=${accountId}, region=${region})`);
@@ -43702,7 +43840,8 @@ async function prepareOneImage(task, container, options) {
 			return image.uri;
 		case "ecr": return pullEcrImage(image.uri, {
 			skipPull: options.skipPull,
-			...options.region !== void 0 && { region: options.region }
+			...options.region !== void 0 && { region: options.region },
+			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn }
 		});
 		case "cdk-asset": {
 			const cdkOutDir = task.stack.assetManifestPath ? dirname(task.stack.assetManifestPath) : void 0;
@@ -43956,6 +44095,7 @@ async function localRunTaskCommand(target, options) {
 		if (resolvedRoleArn) runOpts.taskRoleArn = resolvedRoleArn;
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
+		if (options.ecrRoleArn) runOpts.ecrRoleArn = options.ecrRoleArn;
 		const result = await runEcsTask(task, runOpts, state);
 		if (options.detach) {
 			logger.info("Task containers started in detached mode; cdkd is exiting.");
@@ -44105,7 +44245,7 @@ function readEnvOverridesFile$1(filePath) {
 	return parsed;
 }
 function createLocalRunTaskCommand() {
-	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localRunTaskCommand));
+	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localRunTaskCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -44449,7 +44589,8 @@ async function resolveContainerImagePlan(lambda, options) {
 		logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`);
 		imageRef = await pullEcrImage(lambda.imageUri, {
 			skipPull: options.pull === false,
-			...options.region !== void 0 && { region: options.region }
+			...options.region !== void 0 && { region: options.region },
+			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn }
 		});
 	}
 	const tmpfs = resolveTmpfsForLambda(lambda);
@@ -44743,7 +44884,7 @@ function pickReferencedLogicalId(intrinsic) {
 */
 function createLocalCommand() {
 	const local = new Command("local").description("Local execution of Lambda functions (RIE) and ECS task definitions (Docker required)");
-	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from cdkd state (requires --from-state); (3) `--no-assume-role` explicitly opts out (forces dev creds even with --from-state). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
+	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from cdkd state (requires --from-state); (3) `--no-assume-role` explicitly opts out (forces dev creds even with --from-state). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -46031,7 +46172,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.117.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.118.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());