Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[CodeBuild] CodePipeline + CodeBuild + SecretsManager/SSM seems to have permission issues

See original GitHub issue

Trying to add SecretsManager secret (same applies for SSM Parameter Store) to CodeBuild runs into AccessDeniedException when trying to run the CodePipeline. Weird thing is that the env varible is correctly visible and set in Environment Variables in CodeBuild but still can’t be accessed by the CodeBuild project. I have also checked that the grantRead actually creates required policies to access the secret but alas, it still keeps complaining that the CodeBuild role can’t access it.

Reproduction Steps

Stack CodeBuild configuration:

const roleCodeBuildCdk = new Role(this, 'CodeBuildRole', {
  assumedBy: new ServicePrincipal('codebuild.amazonaws.com'),
});

const secretGithubAccessToken = new Secret(this, 'GithubAccessToken', {
  secretName: 'GithubAccessToken',
});
secretGithubAccessToken.grantRead(roleCodeBuildCdk);

const projectNpmCommand = new PipelineProject(this, 'CdkBuildStage', {
  buildSpec: RunNpmCommand,
  environment: {
    buildImage: LinuxBuildImage.STANDARD_2_0,
    computeType: ComputeType.SMALL,
    environmentVariables: {
      NODE_AUTH_TOKEN: {
        value: secretGithubAccessToken.secretValue,
        type: BuildEnvironmentVariableType.SECRETS_MANAGER,
      },
    },
  },
  role: roleCodeBuildCdk,
});

Error Log

[Container] 2020/06/26 12:24:35 Phase context status code: Secrets Manager Error Message: AccessDeniedException: User: arn:aws:sts::12...cd2 is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:12...K11

Environment

Framework Version: v1.45.0
Language (Version): TypeScript v3.9.5

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:6 (1 by maintainers)

Top GitHub Comments

4reactions

zgajocommented, Sep 24, 2020

I had the same problem and solved it by adding a policy to CodeBuild

  const secret = new secretsmanager.Secret(scope, `Api ${branch} Secret`, {
    secretName: `secret-secrets`,
  });

const cdk_build = new codebuild.PipelineProject(scope, `Build Api Website ${branch}`, {
    buildSpec: codebuild.BuildSpec.fromSourceFilename('./buildspec.yml'),
    environment: {
      buildImage: codebuild.LinuxBuildImage.STANDARD_3_0,
      environmentVariables: {
        SECRET_MANAGER_ARN: { value: secret.secretArn },
      },
    },
  });

  // add policy to allow fetching from secrets manager
  cdk_build.addToRolePolicy(
    new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        'secretsmanager:GetRandomPassword',
        'secretsmanager:GetResourcePolicy',
        'secretsmanager:GetSecretValue',
        'secretsmanager:DescribeSecret',
        'secretsmanager:ListSecretVersionIds',
      ],
      resources: [secret.secretArn],
    })
  );

0reactions

jaredjj3commented, Jul 6, 2021

I had the same problem and solved it by adding a policy to CodeBuild

  const secret = new secretsmanager.Secret(scope, `Api ${branch} Secret`, {
    secretName: `secret-secrets`,
  });

const cdk_build = new codebuild.PipelineProject(scope, `Build Api Website ${branch}`, {
    buildSpec: codebuild.BuildSpec.fromSourceFilename('./buildspec.yml'),
    environment: {
      buildImage: codebuild.LinuxBuildImage.STANDARD_3_0,
      environmentVariables: {
        SECRET_MANAGER_ARN: { value: secret.secretArn },
      },
    },
  });

  // add policy to allow fetching from secrets manager
  cdk_build.addToRolePolicy(
    new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      actions: [
        'secretsmanager:GetRandomPassword',
        'secretsmanager:GetResourcePolicy',
        'secretsmanager:GetSecretValue',
        'secretsmanager:DescribeSecret',
        'secretsmanager:ListSecretVersionIds',
      ],
      resources: [secret.secretArn],
    })
  );

This only works because SECRET_MANAGER_ARN is implicitly a PLAINTEXT variable, which is different from OP, which is explicitly a SECRETS_MANAGER variable.

For the value of a SECRETS_MANAGER variable, use the build-spec secrets manager pattern: https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec.env.secrets-manager

Top Results From Across the Web

Troubleshooting AWS CodeBuild

Possible cause: AWS CodeBuild does not have permission to pull the build image from your Amazon Elastic Container Registry (Amazon ECR).

Code Build Access denied while downloading artifact from S3

This generally happens when you have a CodeBuild project already and you integrate it to a CodePipeline pipeline.

Solving permissions error with AWS CodePipeline

I recently encountered a problem when trying to use AWS's new CodeCommit Github connector ... The provided role does not have sufficient permissions....

Why does a custom CodeBuild image require aws configure ...

I have the same build job, pipeline, and service role in both cases, just the different image. I'd also note that CodeBuild and...

Create the pipeline - CI/CD for ECS Workshop

The CodeBuild project needs permission to push container images to Amazon ECR ... Navigate to the AWS CodePipeline console and choose Create pipeline....