@go-to-k/cdkd 0.117.2 → 0.119.0

package/dist/cli.js

@@ -37297,8 +37297,11 @@ function buildSubstitutionContextFromImageContext(context) {
 *     `physicalId`, and `Fn::GetAtt: [<Repo>, 'RepositoryUri']` shapes
 *     are resolved via the same state record.
 *
-* Tier 3 (cross-account / cross-region pull) is deferred — `pullEcrImage`
-* surfaces the same workaround pointer it already does.
+* Cross-account / cross-region pull (#455): `pullEcrImage` auto-detects
+* cross-account from `sts:GetCallerIdentity` and authenticates against
+* the URI's region directly. Pass `--ecr-role-arn <arn>` when the caller
+* does not already have cross-account `ecr:GetAuthorizationToken` /
+* `ecr:BatchGetImage` access on the target repository.
 */
 function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
 	const getAttImage = tryResolveImageGetAtt(raw, resources, context);
@@ -37969,16 +37972,26 @@ function redactAwsCredentialsInArgs(args) {
 //#endregion
 //#region src/local/ecr-puller.ts
 /**
-* ECR pull fallback for `cdkd local invoke` against deployed container
-* Lambdas (PR 5, D5.2). When `Code.ImageUri` resolves to an ECR URI but
+* ECR pull fallback for `cdkd local invoke` / `cdkd local start-api` /
+* `cdkd local run-task`. When the image URI resolves to an ECR repo but
 * doesn't match any cdk.out asset (typical when invoking a stack
-* deployed elsewhere), cdkd attempts `docker pull` against the same
-* account/region.
-*
-* **Same-account / same-region only**:
-*   - Cross-account requires AssumeRole + a different ECR client. Hard
-*     error with a pointer at the deferred follow-up PR.
-*   - Cross-region requires a region-aware ECR client. Same hard error.
+* deployed elsewhere or sharing a centralized registry), cdkd
+* authenticates against the target registry and runs `docker pull`.
+*
+* **Cross-account / cross-region** (#455):
+*   - Same-account, same-region: fast path. No STS hop. The default
+*     credential chain is used directly for `ecr:GetAuthorizationToken`.
+*   - `ecrRoleArn` is provided: `sts:AssumeRole` is issued via the
+*     default credential chain to obtain temporary credentials for the
+*     target account. The resulting credentials authenticate the ECR
+*     client (regardless of region — the ECR client is built for the
+*     URI's region, which can differ from the caller's profile region).
+*   - Cross-account, NO `ecrRoleArn`: cdkd falls through to the
+*     default credential chain. This works when the caller has been
+*     granted cross-account `ecr:GetAuthorizationToken` +
+*     `ecr:BatchGetImage` permissions on the target repository via an
+*     IAM policy; otherwise AWS rejects the call with `AccessDenied`
+*     and the user is pointed at `--ecr-role-arn`.
 *
 * The `--no-pull` semantics (C3 in the design doc):
 *   - When NOT set: `ecrLogin` + `docker pull <uri>`.
@@ -38005,34 +38018,87 @@ function parseEcrUri(imageUri) {
 	};
 }
 /**
-* Pull (or verify locally cached) a container Lambda image from ECR.
+* Module-level cache for STS-issued AssumeRole credentials, keyed by
+* `(ecrRoleArn, callerRegion)`. Closes the reviewer's MAJOR finding: ECS
+* run-task with N containers under one `--ecr-role-arn` would otherwise issue
+* N× `AssumeRole` and N× `GetCallerIdentity` for identical credentials valid
+* for 3600s. The cache keeps a 5-minute safety margin against the recorded
+* `Expiration` so STS-side / local-clock skew never lets a stale entry through.
+*
+* Cache key is intentionally `(roleArn, region)` rather than full caller
+* identity — STS issues per-region session creds, and a switch of `--region`
+* between two `local invoke` calls in the same process must re-issue.
+*
+* NOT cleared on process exit — Node's module scope evaporates with the
+* process, and no inter-process sharing is desired (each `cdkd local invoke`
+* is its own isolated runtime).
+*/
+const ASSUMED_ROLE_CACHE = /* @__PURE__ */ new Map();
+/**
+* Module-level cache for `STS:GetCallerIdentity`. The result is identity-only
+* (`Account`) and invariant for the lifetime of the process under one set of
+* default credentials. Keyed by `callerRegion` to avoid a cross-region leak
+* when the caller flips `AWS_REGION` mid-process (STS is global but the SDK
+* uses regional endpoints; the result is invariant in practice, but we key
+* on region for safety).
+*/
+const CALLER_IDENTITY_CACHE = /* @__PURE__ */ new Map();
+/** 5-minute safety margin against the recorded STS expiration timestamp. */
+const STS_CREDENTIAL_SAFETY_MARGIN_MS = 300 * 1e3;
+function isCredentialFresh(creds) {
+	if (!creds.expiration) return false;
+	return creds.expiration.getTime() - Date.now() > STS_CREDENTIAL_SAFETY_MARGIN_MS;
+}
+/**
+* Pull (or verify locally cached) a container image from ECR.
 *
-* Verifies same-account / same-region against the caller's STS identity
-* before issuing any docker command. Returns the image URI the caller
-* should pass to `docker run` (same as the input — no rewriting).
+* Auto-detects cross-account from `STS:GetCallerIdentity` and assumes
+* the supplied role when set. Returns the image URI the caller should
+* pass to `docker run` (same as the input — no rewriting).
 */
 async function pullEcrImage(imageUri, options) {
 	const logger = getLogger().child("ecr-puller");
 	const parsed = parseEcrUri(imageUri);
 	if (!parsed) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is not an ECR URI. cdkd local invoke v1 only authenticates against ECR for the deployed-image fallback path.`);
-	const sts = new STSClient({ region: parsed.region });
-	let callerAccount;
-	try {
-		const identity = await sts.send(new GetCallerIdentityCommand({}));
-		if (!identity.Account) throw new LocalInvokeBuildError("STS GetCallerIdentity returned no Account. Verify your AWS credentials.");
-		callerAccount = identity.Account;
-	} finally {
-		sts.destroy();
-	}
-	if (callerAccount !== parsed.accountId) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is in account ${parsed.accountId}, but the caller is ${callerAccount}. Cross-account ECR pull is not supported in cdkd local invoke v1 — deferred to a follow-up PR. Workaround: assume a role in the target account before invoking, or build the image locally with \`cdkd local invoke -a cdk.out\` (no ECR pull).`);
 	const callerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
-	if (callerRegion && callerRegion !== parsed.region) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is in region ${parsed.region}, but the caller's region is ${callerRegion}. Cross-region ECR pull is not supported in cdkd local invoke v1 — deferred to a follow-up PR. Workaround: re-run with AWS_REGION=${parsed.region} set, or build the image locally with -a cdk.out.`);
 	if (options.skipPull) {
 		logger.info(`Skipping ECR pull (--no-pull). Verifying ${imageUri} is in local cache...`);
 		await verifyImageInLocalCache(imageUri);
 		return imageUri;
 	}
-	const ecr = new ECRClient({ region: parsed.region });
+	const callerIdentityKey = callerRegion ?? "_unset";
+	let callerAccount = CALLER_IDENTITY_CACHE.get(callerIdentityKey);
+	if (callerAccount === void 0) {
+		const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+		try {
+			const identity = await sts.send(new GetCallerIdentityCommand({}));
+			if (!identity.Account) throw new LocalInvokeBuildError("STS GetCallerIdentity returned no Account. Verify your AWS credentials.");
+			callerAccount = identity.Account;
+			CALLER_IDENTITY_CACHE.set(callerIdentityKey, callerAccount);
+		} finally {
+			sts.destroy();
+		}
+	}
+	const crossAccount = callerAccount !== parsed.accountId;
+	const crossRegion = callerRegion !== void 0 && callerRegion !== parsed.region;
+	let assumed;
+	if (options.ecrRoleArn) {
+		const cacheKey = `${options.ecrRoleArn}|${callerRegion ?? "_unset"}`;
+		const cached = ASSUMED_ROLE_CACHE.get(cacheKey);
+		if (cached && isCredentialFresh(cached)) {
+			assumed = cached;
+			logger.debug(`Reusing cached AssumeRole credentials for ${options.ecrRoleArn}`);
+		} else {
+			assumed = await assumeRoleForEcr(options.ecrRoleArn, callerRegion, logger);
+			ASSUMED_ROLE_CACHE.set(cacheKey, assumed);
+			logger.info(`Assumed role ${options.ecrRoleArn} for ECR pull (account=${parsed.accountId}, region=${parsed.region})`);
+		}
+	} else if (crossAccount) logger.info(`Cross-account ECR pull: image account ${parsed.accountId} != caller ${callerAccount}. Using the caller's credentials; pass --ecr-role-arn <arn> if AWS rejects with AccessDenied.`);
+	if (crossRegion) logger.info(`Cross-region ECR pull: image region ${parsed.region} != caller ${callerRegion ?? "(unset)"}. Authenticating against the image region directly.`);
+	const ecr = new ECRClient({
+		region: parsed.region,
+		...assumed && { credentials: assumed }
+	});
 	try {
 		await ecrLogin(ecr, parsed.accountId, parsed.region);
 	} finally {
@@ -38047,10 +38113,39 @@ async function pullEcrImage(imageUri, options) {
 	return imageUri;
 }
 /**
-* Authenticate the local docker daemon against the same-account ECR
-* registry. Mirrors `DockerAssetPublisher.ecrLogin` but stays in this
-* module so the local-invoke path doesn't depend on the publisher's
-* larger surface area.
+* Assume the supplied role via the SDK default credential chain and
+* return the resulting temporary credentials. The STS client is built
+* with the caller's profile region (or unset) — STS is a global
+* service so the region is informational, but threading it through
+* mirrors the convention used by `src/utils/role-arn.ts`.
+*/
+async function assumeRoleForEcr(roleArn, callerRegion, logger) {
+	logger.debug(`Assuming role ${roleArn} for ECR pull...`);
+	const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+	try {
+		const creds = (await sts.send(new AssumeRoleCommand({
+			RoleArn: roleArn,
+			RoleSessionName: `cdkd-local-ecr-${Date.now()}`,
+			DurationSeconds: 3600
+		}))).Credentials;
+		if (!creds || !creds.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new LocalInvokeBuildError(`AssumeRole(${roleArn}) returned no usable credentials. Verify the role's trust policy allows your identity to assume it.`);
+		return {
+			accessKeyId: creds.AccessKeyId,
+			secretAccessKey: creds.SecretAccessKey,
+			sessionToken: creds.SessionToken,
+			...creds.Expiration && { expiration: creds.Expiration }
+		};
+	} catch (err) {
+		if (err instanceof LocalInvokeBuildError) throw err;
+		throw new LocalInvokeBuildError(`Failed to assume role ${roleArn} for ECR pull: ${err instanceof Error ? err.message : String(err)}. Verify the role exists and its trust policy permits the caller's identity to assume it.`);
+	} finally {
+		sts.destroy();
+	}
+}
+/**
+* Authenticate the local docker daemon against the target ECR registry.
+* Mirrors `DockerAssetPublisher.ecrLogin` but stays in this module so the
+* local-invoke path doesn't depend on the publisher's larger surface area.
 */
 async function ecrLogin(client, accountId, region) {
 	getLogger().child("ecr-puller").debug(`ECR login (account=${accountId}, region=${region})`);
@@ -40353,14 +40448,23 @@ function resolveRestV1Authorizer(authorizerLogicalId, template, stackName, decla
 	if (type === "COGNITO_USER_POOLS") {
 		const arns = props["ProviderARNs"];
 		if (!Array.isArray(arns) || arns.length === 0) throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: COGNITO_USER_POOLS authorizer is missing ProviderARNs.`);
-		const arn = pickStringFromArn(arns[0], `${stackName}/${authorizerLogicalId}.ProviderARNs[0]`);
-		const parsed = parseCognitoUserPoolArn(arn, `${stackName}/${authorizerLogicalId}`);
+		const pools = arns.map((entry, idx) => {
+			const arn = pickStringFromArn(entry, `${stackName}/${authorizerLogicalId}.ProviderARNs[${idx}]`);
+			const parsed = parseCognitoUserPoolArn(arn, `${stackName}/${authorizerLogicalId}.ProviderARNs[${idx}]`);
+			return {
+				userPoolArn: arn,
+				region: parsed.region,
+				userPoolId: parsed.userPoolId
+			};
+		});
+		const first = pools[0];
 		return {
 			kind: "cognito",
 			logicalId: authorizerLogicalId,
-			userPoolArn: arn,
-			region: parsed.region,
-			userPoolId: parsed.userPoolId,
+			pools,
+			userPoolArn: first.userPoolArn,
+			region: first.region,
+			userPoolId: first.userPoolId,
 			declaredAt
 		};
 	}
@@ -40582,7 +40686,9 @@ function parseCognitoIssuer(issuer) {
 /**
 * Pull a string out of a {Ref} / literal entry under `ProviderARNs`.
 * CDK's CognitoUserPoolsAuthorizer emits a literal array of `Fn::GetAtt:
-* [<UserPool>, 'Arn']` entries — we accept both.
+* [<UserPool>, 'Arn']` entries — we accept both. The `location` argument
+* carries the full `<stack>/<authorizer>.ProviderARNs[<idx>]` path so the
+* error names the offending entry exactly.
 */
 function pickStringFromArn(value, location) {
 	if (typeof value === "string") return value;
@@ -40590,10 +40696,10 @@ function pickStringFromArn(value, location) {
 		const obj = value;
 		if ("Fn::GetAtt" in obj) {
 			const arg = obj["Fn::GetAtt"];
-			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") throw new RouteDiscoveryError(`${location}: ProviderARNs[0] uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL — set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`);
+			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") throw new RouteDiscoveryError(`${location}: uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL — set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`);
 		}
 	}
-	throw new RouteDiscoveryError(`${location}: ProviderARNs[0] must be a literal string (got ${shortJson(value)}).`);
+	throw new RouteDiscoveryError(`${location}: must be a literal string (got ${shortJson(value)}).`);
 }
 /**
 * Parse and clamp a TTL value to `[0, max]` with a default fallback.
@@ -41111,21 +41217,36 @@ function buildJwksUrlFromIssuer(issuer) {
 	return `${issuer.replace(/\/+$/, "")}/.well-known/jwks.json`;
 }
 /**
-* Verify a Bearer JWT against the Cognito user pool referenced by the
-* authorizer. Returns a {@link CachedAuthorizerResult} the http-server
-* can both cache (briefly — JWT exp itself is the cache deadline) and
-* propagate into the route event.
+* Build the expected `iss` claim URL for a Cognito user pool. Matches the
+* issuer Cognito embeds in every minted JWT.
+*/
+function buildCognitoIssuer(region, userPoolId) {
+	return `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`;
+}
+/**
+* Verify a Bearer JWT against the Cognito user pool(s) referenced by the
+* authorizer. With a multi-pool authorizer (`ProviderARNs[]` of length
+* 1+) the request-time pool selection is driven by the JWT's unverified
+* `iss` claim — only the matching pool's JWKS is used for signature
+* verification, so a token issued by pool A cannot be verified against
+* pool B's keys. Issuer mismatch against EVERY configured pool rejects
+* with 401.
 *
 * Returns `{ allow: false }` on:
 *   - missing / malformed Authorization header (caller surfaces 401);
 *   - signature verification failure;
 *   - expired token (`exp` in the past);
-*   - issuer mismatch (token's `iss` doesn't match the pool's URL);
+*   - issuer mismatch (token's `iss` doesn't match any configured pool);
 *   - audience mismatch (token's `aud` not in the configured allowlist).
 *
 * Returns `{ allow: true, principalId, context }` on:
-*   - successful verification;
-*   - JWKS-unreachable pass-through mode (with a warn line on first hit).
+*   - successful verification against the matching pool;
+*   - JWKS-unreachable pass-through mode for the matching pool (with a
+*     warn line on first hit; per-pool TTL handled by the cache).
+*
+* Backward compat: a single-element `ProviderARNs[]` (the historical
+* single-pool case) behaves identically to pre-PR — `pools[0]` is the
+* only candidate and the `iss` check matches it.
 */
 async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts = {}) {
 	const now = opts.now ?? (() => Date.now());
@@ -41135,7 +41256,33 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
 		identityHash: void 0,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId), `https://cognito-idp.${authorizer.region}.amazonaws.com/${authorizer.userPoolId}`, void 0, jwksCache, opts.warned, now);
+	const pools = authorizer.pools && authorizer.pools.length > 0 ? authorizer.pools : [{
+		userPoolArn: authorizer.userPoolArn,
+		region: authorizer.region,
+		userPoolId: authorizer.userPoolId
+	}];
+	const parsed = parseJwt(token);
+	const identityHash = buildIdentityHash([token]);
+	let selectedPool = pools[0];
+	let issMatched = false;
+	if (parsed && typeof parsed.payload["iss"] === "string") {
+		const tokenIss = parsed.payload["iss"].replace(/\/+$/, "");
+		for (const pool of pools) if (buildCognitoIssuer(pool.region, pool.userPoolId) === tokenIss) {
+			selectedPool = pool;
+			issMatched = true;
+			break;
+		}
+		if (!issMatched) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	} else if (pools.length > 1) return {
+		allow: false,
+		identityHash,
+		ttlSeconds: 0
+	};
+	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
@@ -42617,7 +42764,7 @@ async function prewarmJwks(routesWithAuth, jwksCache) {
 	for (const entry of routesWithAuth) {
 		const auth = entry.authorizer;
 		if (!auth) continue;
-		if (auth.kind === "cognito") urls.add(buildCognitoJwksUrl(auth.region, auth.userPoolId));
+		if (auth.kind === "cognito") for (const pool of auth.pools) urls.add(buildCognitoJwksUrl(pool.region, pool.userPoolId));
 		else if (auth.kind === "jwt") {
 			const url = auth.region && auth.userPoolId ? buildCognitoJwksUrl(auth.region, auth.userPoolId) : buildJwksUrlFromIssuer(auth.issuer);
 			urls.add(url);
@@ -43745,7 +43892,8 @@ async function prepareOneImage(task, container, options) {
 			return image.uri;
 		case "ecr": return pullEcrImage(image.uri, {
 			skipPull: options.skipPull,
-			...options.region !== void 0 && { region: options.region }
+			...options.region !== void 0 && { region: options.region },
+			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn }
 		});
 		case "cdk-asset": {
 			const cdkOutDir = task.stack.assetManifestPath ? dirname(task.stack.assetManifestPath) : void 0;
@@ -43999,6 +44147,7 @@ async function localRunTaskCommand(target, options) {
 		if (resolvedRoleArn) runOpts.taskRoleArn = resolvedRoleArn;
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
+		if (options.ecrRoleArn) runOpts.ecrRoleArn = options.ecrRoleArn;
 		const result = await runEcsTask(task, runOpts, state);
 		if (options.detach) {
 			logger.info("Task containers started in detached mode; cdkd is exiting.");
@@ -44148,7 +44297,7 @@ function readEnvOverridesFile$1(filePath) {
 	return parsed;
 }
 function createLocalRunTaskCommand() {
-	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localRunTaskCommand));
+	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localRunTaskCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -44492,7 +44641,8 @@ async function resolveContainerImagePlan(lambda, options) {
 		logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`);
 		imageRef = await pullEcrImage(lambda.imageUri, {
 			skipPull: options.pull === false,
-			...options.region !== void 0 && { region: options.region }
+			...options.region !== void 0 && { region: options.region },
+			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn }
 		});
 	}
 	const tmpfs = resolveTmpfsForLambda(lambda);
@@ -44786,7 +44936,7 @@ function pickReferencedLogicalId(intrinsic) {
 */
 function createLocalCommand() {
 	const local = new Command("local").description("Local execution of Lambda functions (RIE) and ECS task definitions (Docker required)");
-	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from cdkd state (requires --from-state); (3) `--no-assume-role` explicitly opts out (forces dev creds even with --from-state). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
+	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from cdkd state (requires --from-state); (3) `--no-assume-role` explicitly opts out (forces dev creds even with --from-state). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -46074,7 +46224,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.117.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.119.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());