Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CodeBuild: Associating an existing IAM role to a CodeBuild project results in exception

See original GitHub issue

Describe the bug Creating a new CodeBuild project and associating an existing IAM role results in: Policy must be attached to at least one principal: user, group or role during synthesis. My best guess is that the default policy generated by CDK is getting orphaned instead of disregarded in the case where an existing IAM role is specified?

To Reproduce Using the following code to make the association:

val codeBuildProjectRole = Role.fromRoleArn(
            this,
            "code-build-project-role",
            "arn:aws:iam::1234567890:role/service-role/codebuild-bruiser-service-role"
        )

        val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(appName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withRole(codeBuildProjectRole)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

Expected behavior Associating a valid existing role to a CodeBuild project should not result in exception.

Version:

Ubuntu 18.04
Kotlin using Java CDK artifacts
0.32.0

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:9 (6 by maintainers)

Top GitHub Comments

1reaction

pcolazurdocommented, Jan 7, 2020

The problem seems to be in the code for IAM: Service Role are supported in CodeBuild, but IAM Policy is expecting a Role Name and not a /path/RoleName:

"codebuildEmbeddedMetricsPolicy11DBAAB4": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            ...
        "PolicyName": "codebuildEmbeddedMetricsPolicy11DBAAB4",
        "Roles": [
          "service-role/codebuild-EmbeddedMetrics-service-role"
        ]
      },
...

If I manually change this with:

"Roles": [
          "codebuild-EmbeddedMetrics-service-role"
        ]

it works totally fine

0reactions

skinny85commented, Jan 7, 2020

Aaah, I get it now 😃. Thanks @pcolazurdo , I’ll try to get this fixed!

Top Results From Across the Web

Troubleshooting AWS CodeBuild

Issue: When you try to create or update a build project, you receive the error Code:InvalidInputException, Message:CodeBuild is not authorized to perform: sts: ......

Unable to update Service Role in CodeBuild with error "The ...

When I create a brand new CodeBuild project, it allows me to select an IAM Service Role, and when I check the box...

CodeBuild — Boto3 Docs 1.26.35 documentation

The ARN of the IAM role that enables CodeBuild to access the CloudWatch Logs and Amazon S3 artifacts for the project's builds. projectsNotFound...

Network.AWS.CodeBuild - Hackage

CreateWebhook : For an existing AWS CodeBuild build project that has its source code ... Some AWS operations return results that are incomplete...

AWS CodeBuild | Noise | Page 3

After you execute the CodeBuild project, you can view the results in three ... resources and their associated IAM roles created by serverless...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

CodeBuild: Associating an existing IAM role to a CodeBuild project results in exception

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Unable to use cdk command on Windows

CDK 0.32.0 fails to deploy ECR repository: Parameters: [ ... CodeArtifactHash ...] must have values