[cdk-pipelines] Cross Account CodePipeline IAM roles not configured correctly to pull from Code Commit
See original GitHub issueWhen I try to read from code commit cross account, IAM roles are configured incorrectly. I need you to either support this use case or show me how to do it.
Below is code which creates a role that assumes a cross-account role that has permissions to pull from the code commit repo (also cross-account). I hand this role and the reference to the repo to the CodeCommitSourceAction on the pipeline. But when I look at the roles that are created and associated with the pipeline, it directly allows the cross-account repo instead of trying to assume the role (created below) which assumes the cross-account role which has access to the code commit repo.
Let me draw this out:
cross account boundary = |
(what should happen) pipeline -> CodeCommitSourceAction -> (should assume role being created below) -> | cross account role (has access to) -> code commit repo
(what actually happens) pipeline -> CodeCommitSourceAction -> pipeline role -> source pipeline role (direct access) -> | code commit repo
const sourceRepo = Repository.fromRepositoryArn(
this,
'source-git-repo',
"arn:aws:codecommit:<some-region>:<insert-cross-account-here>:some-repo"
);
let sourceReadRole = new Role(this, this.stackName + '-src-read-role',
{
assumedBy: new ServicePrincipal('codepipeline.amazonaws.com'),
inlinePolicies: {
assume_cross_account_repo_role: new PolicyDocument({
statements: [
new PolicyStatement({
resources: [
'<cross-account-role-arn-here>'
],
actions: [
'sts:AssumeRole'
]
})
]
})
}
});
const pipeline = new CdkPipeline(this, 'CodePipeline', {
// The pipeline name
pipelineName: 'my-pipeline',
cloudAssemblyArtifact,
sourceAction: new CodeCommitSourceAction(
{
actionName: 'CodeCommit',
repository: sourceRepo,
branch: 'some-branch',
output: sourceArtifact,
role: sourceReadRole
},
),
synthAction: SimpleSynthAction.standardNpmSynth({
sourceArtifact,
cloudAssemblyArtifact,
// TODO: clean up these comments once I have these working properly.
// Use this if you need a build step (if you're not using ts-node
// or if you have TypeScript Lambdas that need to be compiled).
buildCommand: 'npm run test',
}),
cdkCliVersion: '1.63.0'
});
Use Case
It is best practice to separate your resources into separate accounts thus code pipeline needs to read codecommit cross-account.
Proposed Solution
I don’t know of a full workaround, but my proposed solution would most likely be, on the auto-generated code pipeline source code commit role, just assume the role passed to the CodeCommitSourceAction (assuming there is one).
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Comments:28 (13 by maintainers)
Yes, that’s a problem with our CLI unfortunately. What you can do is use the
-e
/--exclusively
switch:That should work!
BTW, also check out the CDK Pipelines module - it might make your life a little bit easier (depending on what exactly you’re deploying in that CodePipeline).
Yes. Simply import the the Repository into a CDK Stack that has the
env
property set to account A. Then, just pass thatrepository
object to theCodeCommitSourceAction
in the Pipeline’s Stack in account B.The CDK will handle the rest, no manual steps required 🙂.