Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CodeCommitSourceAction tries to add a policy to an imported role

See original GitHub issue

In an attempt to build a cross account codepipeline, I have used CodeCommitSourceAction as follows:

    // Tools account
    const actionProps: any = {};

    // Since `CodeCommitSourceAction` doesn't accept a role (in TypeScript) even though the
    // abstract `Action` does, have to pass the role via an object of `any` type.
    actionProps.role = Role.fromRoleArn(this, 'code-commit-role', codeCommitRoleArn);
    
    const sourceAction = new CodeCommitSourceAction({
      actionName: 'CodeCommit',
      repository: codeCommitRepository,
      output: sourceOutput,
      ...actionProps
    });

When using Role.fromRoleArn I assume that the role exists, potentially in a different account (it is in a different Dev account). However CodeCommitSourceAction tries to create a policy for it according to its source code https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts#L95-L105 which results in the following resource in the template:

  codecommitrolePolicyC2DD4708:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - codecommit:GetBranch
              - codecommit:GetCommit
              - codecommit:UploadArchive
              - codecommit:GetUploadArchiveStatus
              - codecommit:CancelUploadArchive
            Effect: Allow
            Resource: arn:aws:codecommit:us-west-2:123456789012:repository
        Version: "2012-10-17"
      PolicyName: codecommitrolePolicyC2DD4708
      Roles:
        - ToolsAcctCodePipelineCodeCommitRole
    Metadata:
      aws:cdk:path: ToolsCodePipelineStack/code-commit-role/Policy/Resource

This fails because ToolsAcctCodePipelineCodeCommitRole, obviously, doesn’t exist in this Tools account. It is in the Dev account.

I think CodeCommitSourceAction should be able to distinguish if the role is imported or not and add only if the role is auto created by the same account.

Issue Analytics

State:
Created 4 years ago
Reactions:3
Comments:13 (5 by maintainers)

Top GitHub Comments

4reactions

skinny85commented, May 19, 2020

@TamasBartosMentor when importing the Roles, you should pass the mutable parameter as false to the last argument of the call to fromRoleArn: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html#static-from-wbr-role-wbr-arnscope-id-rolearn-options . For example, in TypeScript:

const myRole = iam.Role.fromRoleArn(this, 'MyRole', 'arn:aws:iam::123456789012:role/MyRole', {
  mutable: false,
});

1reaction

GisaldjoPurbollaricommented, Jul 17, 2019

Facing the same issue when importing ecs execution role. Although the role has the permissions, the template produced by cdk attempts to attach a policy with all the ecs permissions (as well as log stream permissions, because I use them elsewhere on the template). If you’re importing a role, you should have the option of not adding new permissions to said role. Highly applicable to accounts that don’t have permissions to create/modify roles.