Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[cdk-pipelines] Cross Account CodePipeline IAM roles not configured correctly to pull from Code Commit

See original GitHub issue

When I try to read from code commit cross account, IAM roles are configured incorrectly. I need you to either support this use case or show me how to do it.

Below is code which creates a role that assumes a cross-account role that has permissions to pull from the code commit repo (also cross-account). I hand this role and the reference to the repo to the CodeCommitSourceAction on the pipeline. But when I look at the roles that are created and associated with the pipeline, it directly allows the cross-account repo instead of trying to assume the role (created below) which assumes the cross-account role which has access to the code commit repo.

Let me draw this out:

cross account boundary = |

(what should happen) pipeline -> CodeCommitSourceAction -> (should assume role being created below) -> | cross account role (has access to) -> code commit repo

(what actually happens) pipeline -> CodeCommitSourceAction -> pipeline role -> source pipeline role (direct access) -> | code commit repo

const sourceRepo = Repository.fromRepositoryArn(
let sourceReadRole = new Role(this, this.stackName + '-src-read-role',
                assumedBy: new ServicePrincipal(''),
                inlinePolicies: {
                    assume_cross_account_repo_role: new PolicyDocument({
                        statements: [
                            new PolicyStatement({
                                resources: [
                                actions: [
        const pipeline = new CdkPipeline(this, 'CodePipeline', {
            // The pipeline name
            pipelineName: 'my-pipeline',

            sourceAction: new CodeCommitSourceAction(
                    actionName: 'CodeCommit',
                    repository: sourceRepo,
                    branch: 'some-branch',
                    output: sourceArtifact,
                    role: sourceReadRole

            synthAction: SimpleSynthAction.standardNpmSynth({

                // TODO: clean up these comments once I have these working properly.
                // Use this if you need a build step (if you're not using ts-node
                // or if you have TypeScript Lambdas that need to be compiled).
                buildCommand: 'npm run test',

            cdkCliVersion: '1.63.0'

Use Case

It is best practice to separate your resources into separate accounts thus code pipeline needs to read codecommit cross-account.

Proposed Solution

I don’t know of a full workaround, but my proposed solution would most likely be, on the auto-generated code pipeline source code commit role, just assume the role passed to the CodeCommitSourceAction (assuming there is one).

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:28 (13 by maintainers)

github_iconTop GitHub Comments

skinny85commented, Feb 9, 2021

Yes, that’s a problem with our CLI unfortunately. What you can do is use the -e / --exclusively switch:

$ cdk deploy --profile accA EventBusPolicy-accountA-region-accountB
$ cdk deploy --profile accA Repostack
$ cdk deploy --profile accB -e poc-2-crossacount-pipeline-dev

That should work!

BTW, also check out the CDK Pipelines module - it might make your life a little bit easier (depending on what exactly you’re deploying in that CodePipeline).

skinny85commented, Feb 8, 2021

Yes. Simply import the the Repository into a CDK Stack that has the env property set to account A. Then, just pass that repository object to the CodeCommitSourceAction in the Pipeline’s Stack in account B.

The CDK will handle the rest, no manual steps required 🙂.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Create a pipeline in CodePipeline that uses resources from ...
Create a second role in AccountB configured for cross-account access. This second role must not only have access to the Amazon S3 bucket...
Read more >
CodeBuild failed for cross-account CI/CD pipeline
If you want to perform lookups in the pipeline itself, your synth step has to have the explicit permission to assume the lookup...
Read more >
AWS CDK cross-account deployments with CDK Pipelines ...
What this command is doing is saying that each <trusted account id> in the list will be allowed to assume particular IAM roles...
Read more >
You can deploy to the same account and Region, or to a different one, with the same amount of code. The CDK Pipelines...
Read more >
Automating cross-account CI/CD pipelines [REPEAT] - YouTube
Also explore a real-world customer use case that is deploying at scale across hundreds of AWS accounts. Learn more about re:Invent 2021 at ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found