aws_lambda_python_alpha: BundlingOptions network parameter is ignored

[snovikov]

Describe the bug

While trying to create a Lambda Layer with python I have stumbled into network issue with Docker.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

cdk synth should be successful.

Current Behavior

while running cdk synth:

$ cdk synth
...
#5 [2/2] RUN     python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&     mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache &&     pip install pipenv==2022.4.8 poetry==1.5.1 &&     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*
#5 9.835 Requirement already satisfied: pip in /usr/app/venv/lib/python3.12/site-packages (24.3.1)
#5 29.86 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7cd455a78800>: Failed to establish a new connection: [Errno -2] Name or service not known')': /simple/pip/
...
#5 285.5 ERROR: Could not find a version that satisfies the requirement pipenv==2022.4.8 (from versions: none)
#5 305.5 ERROR: No matching distribution found for pipenv==2022.4.8
#5 ERROR: process "/bin/sh -c python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&     mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache &&     pip install pipenv==$PIPENV_VERSION poetry==$POETRY_VERSION &&     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*" did not complete successfully: exit code: 1
...
Dockerfile:22
--------------------
  21 |     
  22 | >>> RUN \
  23 | >>> # create a new virtualenv for python to use
  24 | >>> # so that it isn't using root
  25 | >>>     python -m venv /usr/app/venv && \
  26 | >>> # Create a new location for the pip cache
  27 | >>>     mkdir /tmp/pip-cache && \
  28 | >>> # Ensure all users can write to pip cache
  29 | >>>     chmod -R 777 /tmp/pip-cache && \
  30 | >>> # Upgrade pip (required by cryptography v3.4 and above, which is a dependency of poetry)
  31 | >>>     pip install --upgrade pip && \
  32 | >>> # Create a new location for the poetry cache
  33 | >>>     mkdir /tmp/poetry-cache && \
  34 | >>> # Ensure all users can write to poetry cache
  35 | >>>     chmod -R 777 /tmp/poetry-cache && \
  36 | >>> # Install pipenv and poetry
  37 | >>>     pip install pipenv==$PIPENV_VERSION poetry==$POETRY_VERSION && \
  38 | >>> # Ensure no temporary files remain in the caches
  39 | >>>     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*
  40 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&     mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache &&     pip install pipenv==$PIPENV_VERSION poetry==$POETRY_VERSION &&     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*" did not complete successfully: exit code: 1
jsii.errors.JavaScriptError: 
  Error: docker exited with status 1
  --> Command: docker build -t cdk-f8515da79edfce24e7a7b2abd249e3ed0eeeb071f8c15e42ebeabfa08cebc749 --platform "linux/amd64" --build-arg "IMAGE=public.ecr.aws/sam/build-python3.12" "/tmp/jsii-kernel-pAlGbN/node_modules/@aws-cdk/aws-lambda-python-alpha/lib"
      at dockerExec (/tmp/jsii-kernel-pAlGbN/node_modules/aws-cdk-lib/core/lib/private/asset-staging.js:2:237)
      at DockerImage.fromBuild (/tmp/jsii-kernel-pAlGbN/node_modules/aws-cdk-lib/core/lib/bundling.js:1:4761)
      at new Bundling (/tmp/jsii-kernel-pAlGbN/node_modules/@aws-cdk/aws-lambda-python-alpha/lib/bundling.js:40:50)
      at Bundling.bundle (/tmp/jsii-kernel-pAlGbN/node_modules/@aws-cdk/aws-lambda-python-alpha/lib/bundling.js:25:50)
      at new PythonLayerVersion (/tmp/jsii-kernel-pAlGbN/node_modules/@aws-cdk/aws-lambda-python-alpha/lib/layer.js:50:39)
      at new PythonLayerVersion (/tmp/jsii-kernel-pAlGbN/node_modules/aws-cdk-lib/core/lib/prop-injectable.js:1:488)
      at Kernel._Kernel_create (/tmp/tmpo7jy_gi8/lib/program.js:548:25)
      at Kernel.create (/tmp/tmpo7jy_gi8/lib/program.js:218:93)
      at KernelHost.processRequest (/tmp/tmpo7jy_gi8/lib/program.js:15467:36)
      at KernelHost.run (/tmp/tmpo7jy_gi8/lib/program.js:15427:22)

...
RuntimeError: docker exited with status 1
--> Command: docker build -t cdk-f8515da79edfce24e7a7b2abd249e3ed0eeeb071f8c15e42ebeabfa08cebc749 --platform "linux/amd64" --build-arg "IMAGE=public.ecr.aws/sam/build-python3.12" "/tmp/jsii-kernel-pAlGbN/node_modules/@aws-cdk/aws-lambda-python-alpha/lib"
Subprocess exited with error 1

Reproduction Steps

Example code:

from aws_cdk import (
    Stack,
    aws_lambda as _lambda,
    aws_lambda_python_alpha as lambda_python,
)
from constructs import Construct

class LambdaStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        # Lambda Layer from Python requirements
        layer = lambda_python.PythonLayerVersion(
            self, "LibLayer",
            entry="layer",
            compatible_runtimes=[_lambda.Runtime.PYTHON_3_12],
            bundling=lambda_python.BundlingOptions(
                network="host",
            ),
        )

The layer folder:

layer/
└── requirements.txt

The layer/requirements.txt

jwt==1.3.1
requests==2.32.3

Possible Solution

It seems, that network="host" parameter is ignored.

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.196.0

AWS CDK CLI version

2.1004.0 (build f0ad96e)

Node.js Version

v20.19.2

OS

Ubuntu 24.04.2 LTS

Language

Python

Language Version

Python 3.12.3

Other information

No response

[ykethan]

Hey @snovikov, thank you for reaching out. On a quick test I was unable to reproduce this issue.

code:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import * as lambda_python from '@aws-cdk/aws-lambda-python-alpha';

export class MyProject1Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const pythonLayer = new lambda_python.PythonLayerVersion(
      this,
      'PythonLayer',
      {
        entry: './layer',
        compatibleRuntimes: [lambda.Runtime.PYTHON_3_12],
        bundling: {
          network: 'host',
        },
      }
    );

    // Create a simple Lambda function using the layer
    new lambda.Function(this, 'TestFunction', {
      runtime: lambda.Runtime.PYTHON_3_12,
      handler: 'index.handler',
      code: lambda.Code.fromInline(`
def handler(event, context):
    print("Hello from Lambda!")
    return {"statusCode": 200, "body": "Success"}
      `),
      layers: [pythonLayer],
    });
  }
}

On synth did not observe an error message

As the host type did not run into an error as a test modified the network to none which should completely isolate a container from the host and other containers

     bundling: {
          network: 'none',
        },

with output as

> Command: docker run --rm --network none -u "504:20" -v "/Users/abc/Documents/appslocal/my-project1/layer:/asset-input:delegated" -v "/Users/abc/Documents/appslocal/my-project1/cdk.out/asset.ade6bd33e33b8dbf8b248ceb2e9d059833e5b3fffbaaf96bb2355f290b683c54-building:/asset-output:delegated" -w "/asset-input" cdk-0749bcf2c8e6d9cf3d79374f326fa02b1445ae0e82c3d7e52ff02a285718b812 bash -c "rsync -rLv /asset-input/ /asset-output/python && cd /asset-output/python && python -m pip install -r requirements.txt -t /asset-output/python"

the command does appear to contain the --network parameter.
Could you provide us some additional information such as are you currently utilizing a proxy network or VPN that could be blocking this?

[snovikov]

Thanks @ykethan for taking your time.

I do not use proxy or VPN. The issue it seems because of docker networking.
If there is no parameter for network specified, then docker uses default network,
which is a bridge network and in my case that network has no connection to the internet.

$ docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
032cfe60bb60   bridge    bridge    local
4d79c761a679   host      host      local
062af104491c   none      null      local

The way circumvent it could be to use host network.

So, I tried again with code you have submitted.
My code is written in Python, so, I have to translate your example to:

test.py

import aws_cdk as cdk
from constructs import Construct
from aws_cdk import aws_lambda as _lambda
from aws_cdk.aws_lambda_python_alpha import PythonLayerVersion


class MyProject1Stack(cdk.Stack):
    def __init__(self, scope: Construct, id: str, *, env=None, **kwargs) -> None:
        super().__init__(scope, id, env=env, **kwargs)

        python_layer = PythonLayerVersion(
            self,
            "PythonLayer",
            entry="./layer",
            compatible_runtimes=[_lambda.Runtime.PYTHON_3_12],
            bundling={"network": "host"},
        )

        _lambda.Function(
            self,
            "TestFunction",
            runtime=_lambda.Runtime.PYTHON_3_12,
            handler="index.handler",
            code=_lambda.Code.from_inline(
                """
def handler(event, context):
    print("Hello from Lambda!")
    return {"statusCode": 200, "body": "Success"}
                """
            ),
            layers=[python_layer],
        )


app = cdk.App()
MyProject1Stack(app, "MyProject1Stack", stack_name="my-project1-stack")
app.synth()

When running it, I get again an error:

$ python test.py 
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 1.56kB done
#1 DONE 0.0s

#2 [internal] load metadata for public.ecr.aws/sam/build-python3.12:latest
#2 DONE 1.3s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [1/2] FROM public.ecr.aws/sam/build-python3.12:latest@sha256:7628518e589f67e09dfb93bacbc5d28d834008e8d1f842900bba7e261658b356
#4 CACHED

#5 [2/2] RUN     python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&     mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache &&     pip install pipenv==2022.4.8 poetry==1.5.1 &&     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*
#5 2.442 Requirement already satisfied: pip in /usr/app/venv/lib/python3.12/site-packages (24.3.1)
#5 22.47 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x765a2a75ddc0>: Failed to establish a new connection: [Errno -2] Name or service not known')': /simple/pip/

In the process list I can clearly see, that process:

$ ps aux | grep "docker build"
sergeyn+  864711  0.0  0.0 1995932 27416 pts/6   Sl+  17:04   0:00 docker build -t cdk-70a61d1473e5e8602955a738c80ea59cfaf7c2951a0eb494424dc6162e3ca167 --platform linux/amd64 --build-arg IMAGE=public.ecr.aws/sam/build-python3.12 /tmp/jsii-kernel-E0Euu6/node_modules/@aws-cdk/aws-lambda-python-alpha/lib

and there is no --network option present.

However, if execute that command manually, with --network option - that works

$ docker build -t cdk-layer-1 --network host --no-cache --platform linux/amd64 --build-arg IMAGE=public.ecr.aws/sam/build-python3.12 /tmp/jsii-kernel-E0Euu6/node_modules/@aws-cdk/aws-lambda-python-alpha/lib
[+] Building 22.2s (6/6) FINISHED                                                                                                              docker:default
 => [internal] load build definition from Dockerfile                                                                                                     0.0s
 => => transferring dockerfile: 1.56kB                                                                                                                   0.0s
 => [internal] load metadata for public.ecr.aws/sam/build-python3.12:latest                                                                              0.3s
 => [internal] load .dockerignore                                                                                                                        0.0s
 => => transferring context: 2B                                                                                                                          0.0s
 => CACHED [1/2] FROM public.ecr.aws/sam/build-python3.12:latest@sha256:7628518e589f67e09dfb93bacbc5d28d834008e8d1f842900bba7e261658b356                 0.0s
 => [2/2] RUN     python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&       21.4s
 => exporting to image                                                                                                                                   0.5s 
 => => exporting layers                                                                                                                                  0.5s 
 => => writing image sha256:5cf67962900dd2d9389054d14a3d582dbd395d9ce69e6e9b27384a9d3928ba97                                                             0.0s 
 => => naming to docker.io/library/cdk-layer-1                                                                                                           0.0s

I have tried with adding more parameters to BundlingOptions, like build_args and they are present, e.g.

            bundling={
                "network": "host",
                "build_args": {
                    "PIP_INDEX_URL": "https://your.index.url/simple/",
                    "PIP_EXTRA_INDEX_URL": "https://your.extra-index.url/simple/"
                }
            },

$ python test.py 
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 DONE 0.0s

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 1.56kB done
#1 DONE 0.0s

#2 [internal] load metadata for public.ecr.aws/sam/build-python3.12:latest
#2 DONE 1.1s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [1/2] FROM public.ecr.aws/sam/build-python3.12:latest@sha256:7628518e589f67e09dfb93bacbc5d28d834008e8d1f842900bba7e261658b356
#4 CACHED

#5 [2/2] RUN     python -m venv /usr/app/venv &&     mkdir /tmp/pip-cache &&     chmod -R 777 /tmp/pip-cache &&     pip install --upgrade pip &&     mkdir /tmp/poetry-cache &&     chmod -R 777 /tmp/poetry-cache &&     pip install pipenv==2022.4.8 poetry==1.5.1 &&     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*
#5 1.901 Looking in indexes: https://your.index.url/simple/, https://your.extra-index.url/simple/
#5 1.901 Requirement already satisfied: pip in /usr/app/venv/lib/python3.12/site-packages (24.3.1)
#5 21.92 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x79712bbe17f0>: Failed to establish a new connection: [Errno -2] Name or service not known')': /simple/pip/

and in the process list

$ ps aux | grep "docker build"
sergeyn+  866627  0.0  0.0 1995932 27456 pts/6   Sl+  17:14   0:00 docker build -t cdk-1e2744ad25b13437ae2b0a0791208b5b5122cf9df36894eb29841e41184f4099 --platform linux/amd64 --build-arg PIP_INDEX_URL=https://your.index.url/simple/ --build-arg PIP_EXTRA_INDEX_URL=https://your.extra-index.url/simple/ --build-arg IMAGE=public.ecr.aws/sam/build-python3.12 /tmp/jsii-kernel-k6NjVW/node_modules/@aws-cdk/aws-lambda-python-alpha/lib

again no --network.

I have updated my CDK in a meanwhile:

$ cdk version
2.1016.1 (build 6de56b2)

$ pip list | grep cdk
aws-cdk.asset-awscli-v1           2.2.236
aws-cdk.asset-node-proxy-agent-v6 2.1.0
aws-cdk.aws-lambda-python-alpha   2.197.0a0
aws-cdk.cloud-assembly-schema     41.2.0
aws-cdk-lib                       2.197.0

but that had no effect on the issue.

Docker

$ docker version
Client: Docker Engine - Community
 Version:           28.1.1
 API version:       1.49
 Go version:        go1.23.8
 Git commit:        4eba377
 Built:             Fri Apr 18 09:52:14 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.1.1
  API version:      1.49 (minimum version 1.24)
  Go version:       go1.23.8
  Git commit:       01f442b
  Built:            Fri Apr 18 09:52:14 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[ykethan]

Hey @snovikov, appreciate the detailed information. On further testing, I was able to reproduce the issue with multiple tests with different network configurations and observed:

1. With network='bridge' or network='none':

   • Docker commands correctly include network parameter (--network bridge or --network none)
   • Example: docker run --rm --network bridge -u 504:20 -v /path/to/layer:/asset-input...
     and docker build -t <> --platform linux/amd64 --build-arg IMAGE=public.ecr.aws/sam/build-python3.12 /Users/node_modules/@aws-cdk/aws-lambda-python-alpha/lib

2. With network='host':

   • Docker commands are missing the network parameter
   • The observed command: docker build -t cdk-... --platform linux/amd64 --build-arg IMAGE=public.ecr.aws/sam/build-python3.12 ...

Root Cause

In CDK source code at DockerImage.fromBuild() method in packages/aws-cdk-lib/core/lib/bundling.ts. The docker command construction includes platform and build args but doesn't pass through the network parameter:

const dockerArgs: string[] = [
  'build', '-t', tag,
  ...(options.file ? ['-f', join(path, options.file)] : []),
  ...(options.platform ? ['--platform', options.platform] : []),
  // Network parameter is missing here
  // ...
  path,
];

While the DockerImage.run() method correctly handles network parameters:

const dockerArgs: string[] = [
  'run', '--rm',
  ...options.network
    ? ['--network', options.network]
    : [],
  // other args...
];

from the docker documentation docker build currently does support 3 network types
https://docs.docker.com/reference/cli/docker/buildx/build/#network

default (default): Run in the default network.
none: Run with no network access.
host: Run in the host’s network environment.

The currently implementation would need to be modified to support passing network on the build command

Marking as P2 feature request. We greatly appreciate community contributions! If you or someone else is interested in implementing this, we'd be happy to review a Pull Request. Please check our contribution guidelines before starting.
Meanwhile, welcome to add 👍 to help us prioritize.