[aws-codepipeline-actions] Cannot assume role by code pipeline on code pipeline action AWS CDK
See original GitHub issue❓ General Issue
I have been playing with AWS CDK and was working on building a code pipeline stack on my AWS educate account
. The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a role for the code pipeline action
whose Principle
is ARN
of the root account. So it doesn’t have the permission to perform assume role on the root account.
Action code:
{
stageName: "Build",
actions: [
new codepipelineActions.CodeBuildAction(
{
actionName: "Build",
input: sourceOutput,
project: builder
}
)
]
}
Cloudformation Template Output:
"devPipelineBuildCodePipelineActionRole8696D056": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
+ "AWS": {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":iam::",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":root"
+ ]
+ ]
+ }
+ }
+ }
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
}
}
...
{
"Actions": [
{
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "BuildAndTestB9A2F419"
}
},
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"Name": "Build",
+ "RoleArn": {
+ "Fn::GetAtt": [
+ "devPipelineBuildCodePipelineActionRole8696D056",
+ "Arn"
+ ]
+ },
"RunOrder": 1
}
],
"Name": "Build"
}
This will throw the error:
arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)
If I remove the RoleArn
from the Action
and execute the template it works.
"Actions": [
{
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "BuildAndTestB9A2F419"
}
},
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"Name": "Build",
- "RoleArn": {
- "Fn::GetAtt": [
- "devPipelineBuildCodePipelineActionRole8696D056",
- "Arn"
- ]
- },
"RunOrder": 1
}
],
"Name": "Build"
}
The Question
My question is, How do I prevent CDK to prevent adding default role with Principle using the root account or a workaround to it?
Environment
- CDK CLI Version: v1.61.1
- Module Version: v1.61.1
- Node.js Version: v12.14.0
- OS: OSX Catalina
- Language (Version): TypeScript (3.8.3)
Other information
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (2 by maintainers)
Top Results From Across the Web
[aws-codepipeline-actions] Cannot assume role by code ...
When I try to create a codepipeline with two actions via cdk I get a $PIPELINE_ROLE cannot assume $PIPELINE_ACTION_ROLE error.
Read more >Cannot assume role by code pipeline on code pipeline action ...
The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a...
Read more >aws-cdk/aws-codepipeline-actions module
If you want to use existing role which can be used by on commit event rule. You can specify the role object in...
Read more >awscodepipelineactions - Go Packages
import codepipeline "github.com/aws/aws-cdk-go/awscdk" import ... Add statement to the service role assumed by CloudFormation while executing this action.
Read more >@aws-cdk/aws-codepipeline - npm
The Pipeline construct automatically defines an IAM Role for you in the target account which the pipeline will assume to perform that action....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi,
I have created s3, code build, manual approval action roles and code pipeline roles in cdk and still had to:
In my case, it might do something since I am using a corporate account with federated login and I think that might do something with setup of the account and arn:aws:iam::<account>:root does not work in this case.
Best regards, Grega
On Fri, Sep 4, 2020 at 6:09 AM Subesh notifications@github.com wrote:
@subeshb1 Do you know how to delete also the unwanted and dangling roles and policies?