Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[cdk-pipelines] Cross Account CodePipeline IAM roles not configured correctly to pull from Code Commit
See original GitHub issueWhen I try to read from code commit cross account, IAM roles are configured incorrectly. I need you to either support this use case or show me how to do it.
Below is code which creates a role that assumes a cross-account role that has permissions to pull from the code commit repo (also cross-account). I hand this role and the reference to the repo to the CodeCommitSourceAction on the pipeline. But when I look at the roles that are created and associated with the pipeline, it directly allows the cross-account repo instead of trying to assume the role (created below) which assumes the cross-account role which has access to the code commit repo.
Let me draw this out:
cross account boundary = |
(what should happen) pipeline -> CodeCommitSourceAction -> (should assume role being created below) -> | cross account role (has access to) -> code commit repo
(what actually happens) pipeline -> CodeCommitSourceAction -> pipeline role -> source pipeline role (direct access) -> | code commit repo
const sourceRepo = Repository.fromRepositoryArn(
this,
'source-git-repo',
"arn:aws:codecommit:<some-region>:<insert-cross-account-here>:some-repo"
);
let sourceReadRole = new Role(this, this.stackName + '-src-read-role',
{
assumedBy: new ServicePrincipal('codepipeline.amazonaws.com'),
inlinePolicies: {
assume_cross_account_repo_role: new PolicyDocument({
statements: [
new PolicyStatement({
resources: [
'<cross-account-role-arn-here>'
],
actions: [
'sts:AssumeRole'
]
})
]
})
}
});
const pipeline = new CdkPipeline(this, 'CodePipeline', {
// The pipeline name
pipelineName: 'my-pipeline',
cloudAssemblyArtifact,
sourceAction: new CodeCommitSourceAction(
{
actionName: 'CodeCommit',
repository: sourceRepo,
branch: 'some-branch',
output: sourceArtifact,
role: sourceReadRole
},
),
synthAction: SimpleSynthAction.standardNpmSynth({
sourceArtifact,
cloudAssemblyArtifact,
// TODO: clean up these comments once I have these working properly.
// Use this if you need a build step (if you're not using ts-node
// or if you have TypeScript Lambdas that need to be compiled).
buildCommand: 'npm run test',
}),
cdkCliVersion: '1.63.0'
});
Use Case
It is best practice to separate your resources into separate accounts thus code pipeline needs to read codecommit cross-account.
Proposed Solution
I don’t know of a full workaround, but my proposed solution would most likely be, on the auto-generated code pipeline source code commit role, just assume the role passed to the CodeCommitSourceAction (assuming there is one).
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Comments:28 (13 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yes, that’s a problem with our CLI unfortunately. What you can do is use the
-e/--exclusivelyswitch:That should work!
BTW, also check out the CDK Pipelines module - it might make your life a little bit easier (depending on what exactly you’re deploying in that CodePipeline).
Yes. Simply import the the Repository into a CDK Stack that has the
envproperty set to account A. Then, just pass thatrepositoryobject to theCodeCommitSourceActionin the Pipeline’s Stack in account B.The CDK will handle the rest, no manual steps required 🙂.