Articles

Build and Push Docker Images as CDK Assets (2026)

April 16, 2026 5 min read

CDK assets are a powerful way to manage infrastructure code, but they often involve building and pushing Docker images. This process can be tricky, leading to unexpected build failures or deployment issues.

The core problem is that CDK Asset Publishing needs to know the exact location of your Docker image after it’s built and pushed to a registry. If that location isn’t correctly communicated or if the build itself fails, the asset won’t be available for your CloudFormation stack.

Common Causes and Fixes

  1. Docker Build Fails Due to Missing Dependencies:

    • Diagnosis: Check the docker build output for errors. Common culprits are missing packages in apt-get install or yum install, or issues with npm install, pip install, etc.
    • Fix: Ensure all necessary build-time dependencies are explicitly installed in your Dockerfile. For example, if you need git to clone a repository during build:
      RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
      This command updates package lists, installs git, and then cleans up the apt cache to keep the image size down.
    • Why it works: The Dockerfile is a recipe. If a step in the recipe is incomplete, the resulting image is broken. Explicitly including all dependencies ensures the build process has everything it needs.

  2. Docker Build Fails Due to Incorrect COPY or ADD Paths:

    • Diagnosis: The build fails because files or directories expected by the application are not present in the image. Look for No such file or directory errors.
    • Fix: Double-check the source and destination paths in your COPY or ADD instructions. Ensure they are relative to the build context (the directory where you run docker build). For example, if your Dockerfile is in the root of your project and your application code is in src/app:
      COPY src/app /app
      If you’re using .dockerignore, ensure you haven’t accidentally excluded necessary files.
    • Why it works: COPY and ADD are how you get your application code and configuration into the Docker image. Incorrect paths mean the image is built without the necessary files.

  3. CDK Asset Publishing Fails to Find the Built Image:

    • Diagnosis: The CDK deployment fails with an error like "Asset … not found" or indicates it couldn’t locate the Docker image. This often happens when the docker build command is run in a context where the output image isn’t tagged or accessible by the asset publishing mechanism.
    • Fix: Ensure your Dockerfile correctly tags the image during the build process, and that the CDK is configured to use that tag. When using DockerImage.fromAsset in CDK, it handles the tagging and pushing. If you’re manually building and pushing, ensure the docker build command outputs an image that CDK can reference. The CDK CLI typically expects the image to be built and available locally or pushed to a registry it can access. The DockerImage.fromRegistry() construct is used if the image is already in a registry.
      import { DockerImage } from 'aws-cdk-lib/aws-ecr-assets';

const myImage = DockerImage.fromAsset('./path/to/dockerfile/context');
// CDK handles the build and push to ECR
    • Why it works: CDK’s asset system needs a definitive reference to the image. DockerImage.fromAsset streamlines this by building and pushing to ECR. If you’re not using this construct, you need to ensure the image is built and accessible by its tag.

  4. ECR Repository Not Created or Permissions Issues:

    • Diagnosis: CDK deployment fails with errors related to ECR, such as "RepositoryNotFoundException" or "AccessDeniedException."
    • Fix: Ensure the ECR repository that the CDK asset publishing process targets actually exists and that the IAM role executing the CDK deployment has permissions to push to it. The DockerImage.fromAsset construct will often create the ECR repository for you if it doesn’t exist, but you need to ensure the IAM principal running cdk deploy has ecr:CreateRepository and ecr:PutImage permissions.
      // Example of granting permissions to the deployment role
const repository = new ecr.Repository(this, 'MyRepository');
// The CDK asset publishing role (derived from the deployment role) will need ECR permissions.
// If you're manually managing ECR, ensure your deployment role has:
// "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:InitiateLayerUpload",
// "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage", "ecr:CreateRepository"
    • Why it works: Docker images are stored in ECR. If ECR can’t be accessed or the repository isn’t there, the image cannot be stored or retrieved.

  5. Incorrect Dockerfile CMD or ENTRYPOINT:

    • Diagnosis: The Docker image builds successfully, but when deployed as part of a container service (like ECS or Fargate), the container fails to start or exits immediately. The container logs will show errors related to the command not being found or exiting with a non-zero status.
    • Fix: Verify that your CMD or ENTRYPOINT in the Dockerfile points to an executable that exists within the image and is correctly configured. For example, if your application is a Python script:
      # Assuming your script is in /app/main.py
CMD ["python", "/app/main.py"]
      Ensure the script has execute permissions if necessary, or that the interpreter (python in this case) is correctly installed and in the PATH.
    • Why it works: The CMD or ENTRYPOINT defines what runs when the container starts. If this command is invalid or missing, the container cannot execute its intended purpose.

  6. Build Context Too Large or .dockerignore Misconfigured:

    • Diagnosis: docker build takes an extremely long time, or fails with "context exceeded" errors, or essential files are missing from the image.
    • Fix: Use a .dockerignore file to exclude unnecessary files and directories (like .git, node_modules, build artifacts, local development tools) from being sent to the Docker daemon during the build.
      # .dockerignore
.git
node_modules
*.log
dist/
build/
      Ensure your Dockerfile is located at the root of the intended build context or that you specify the correct context path in your docker build command or CDK construct.
    • Why it works: The build context is the set of files sent to the Docker daemon. Excluding unnecessary files speeds up the transfer and build, and prevents accidental inclusion of sensitive or irrelevant data.

The next error you’ll likely encounter after fixing these is a CloudFormation deployment failure due to a misconfigured service or task definition that doesn’t correctly reference the deployed Docker image URI.

Want structured learning?

Take the full Cdk course →