Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(@aws-cdk/pipelines.CdkPipeline) Update Pipeline Stage's UpdateSelf missing cloudformation permissions on role
See original GitHub issueI am currently building a pipeline utilizing pipelines.CdkPipeline as follows below. While making the pipeline, both the SimpleSynthAction as well as the automatically added SelfMutate Action (in the UpdatePipeline automatically added stage) are missing the cloudformation:DescribeStacks and cloudformationGetTemplate permissions. For the synth action as you see below I added this through the role_policy_statements list parameter. Is this something that is a bug or expected? Secondly, I’m unsure how to do this with the SelfMutate Action inside the UpdatePipeline Stage that gets automatically created for us when utilizing the pipelines.CdkPipeline. The Role used on the UpdatePipeline Stage, that is automatically created, is missing cloudformation:DescribeStacks, cloudformationGetTemplate on the CDKToolkit Stack and the stack you look to deploy this into. This same role, is also missing s3 permissions to write to the CDKToolKitBucket. Based on my perspective this would be a bug because no matter what the CdkPipeline will have to synth and upload to the s3 bucket if the template is large, and it will need access to those cloudformation stacks. Please show me how to provide these to the automatically created UpdatePipeline Stage and UpdatePipeline Stage role and also explain if this is a bug, feature request, or implementation difference?
pipeline_source_action = aws_codepipeline_actions.CodeCommitSourceAction(output=pipeline_source_artifact,
repository=source_repo,
action_name=f"SourceCCRepo_{repo}",
branch=self._branch)
pipeline_synth_action = pipelines.SimpleSynthAction.standard_npm_synth(
action_name=f"Build_{repo}",
cloud_assembly_artifact=pipeline_cloud_assembly_artifact,
source_artifact=pipeline_source_artifact,
install_command='pip install -r requirements.txt --ignore-installed;npm install -g aws-cdk; cdk bootstrap',
build_command="npx cdk synth -vvvv",
role_policy_statements=[
aws_iam.PolicyStatement(actions=["cloudformation:DescribeStacks", "cloudformation:GetTemplate"],
resources=[
f"arn:aws:cloudformation:{self._config.region}:{self._config.account}:stack/CDKToolkit*",
f"arn:aws:cloudformation:{self._config.region}:{self._config.account}:stack/{self._stack_id}*"])])
pipeline_cp = aws_codepipeline.Pipeline(scope=self, id=f"{pipeline_name}cp_id",
artifact_bucket=self._pipeline_asset_bucket, cross_account_keys=False,
pipeline_name=pipeline_name, restart_execution_on_update=True)
pipeline = pipelines.CdkPipeline(self, id=f"{pipeline_name}_id",
cloud_assembly_artifact=pipeline_cloud_assembly_artifact,
code_pipeline=pipeline_cp, source_action=pipeline_source_action,
synth_action=pipeline_synth_action, vpc=self._vpc)
### Environment
- **CDK CLI Version:** 1.100.0
- **Module Version:** 1.100.0
- **Node.js Version:** 6.14.11
- **OS:** Windows 10/ Linux
- **Language (Version):** Python 3.9
Issue Analytics
- State:
- Created 2 years ago
- Comments:12 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
OK, I think I got this fixed: people. Try setting:
in
cdk.jsonand reruncdk bootstrap. Then you don’t need GetTemplate permission and you don’t seen these errors.⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.