Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[aws-codepipeline-actions] Cannot assume role by code pipeline on code pipeline action AWS CDK
See original GitHub issue❓ General Issue
I have been playing with AWS CDK and was working on building a code pipeline stack on my AWS educate account. The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a role for the code pipeline action whose Principle is ARN of the root account. So it doesn’t have the permission to perform assume role on the root account.
Action code:
{
stageName: "Build",
actions: [
new codepipelineActions.CodeBuildAction(
{
actionName: "Build",
input: sourceOutput,
project: builder
}
)
]
}
Cloudformation Template Output:
"devPipelineBuildCodePipelineActionRole8696D056": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
+ "AWS": {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":iam::",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":root"
+ ]
+ ]
+ }
+ }
+ }
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
}
}
...
{
"Actions": [
{
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "BuildAndTestB9A2F419"
}
},
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"Name": "Build",
+ "RoleArn": {
+ "Fn::GetAtt": [
+ "devPipelineBuildCodePipelineActionRole8696D056",
+ "Arn"
+ ]
+ },
"RunOrder": 1
}
],
"Name": "Build"
}
This will throw the error:
arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)
If I remove the RoleArn from the Action and execute the template it works.
"Actions": [
{
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "BuildAndTestB9A2F419"
}
},
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"Name": "Build",
- "RoleArn": {
- "Fn::GetAtt": [
- "devPipelineBuildCodePipelineActionRole8696D056",
- "Arn"
- ]
- },
"RunOrder": 1
}
],
"Name": "Build"
}
The Question
My question is, How do I prevent CDK to prevent adding default role with Principle using the root account or a workaround to it?
Environment
- CDK CLI Version: v1.61.1
- Module Version: v1.61.1
- Node.js Version: v12.14.0
- OS: OSX Catalina
- Language (Version): TypeScript (3.8.3)
Other information
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi,
I have created s3, code build, manual approval action roles and code pipeline roles in cdk and still had to:
In my case, it might do something since I am using a corporate account with federated login and I think that might do something with setup of the account and arn:aws:iam::<account>:root does not work in this case.
Best regards, Grega
On Fri, Sep 4, 2020 at 6:09 AM Subesh notifications@github.com wrote:
@subeshb1 Do you know how to delete also the unwanted and dangling roles and policies?