(codepipeline): AccessDeniedException when calling the PutJobSuccessResult
See original GitHub issueThis is likely to be a guidance question, but I’m not sure I’m not hitting some CodePipeline limitation. I have a scenario like this:
- I have a devops central IAM account that I have the pipelines
- in that pipeline I am invoking a lambda, that uses a PipelineRole on a cross-IAM another target IAM account
- that Lambda executes some operations (e.g. CloudFront)
Those three things work fine, but… the Lambda must return a result to the initial IAM account to the CodePipeline and that is what doesn’t work for me.
I tried assigning even full permissions for codepipeline:*
for *
resources on both sides, but I am still getting the error:
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutJobSuccessResult operation: User: arn:aws:sts::1234:assumed-role/PipelineRole/1624294113598 is not authorized to perform: codepipeline:PutJobSuccessResult
In the Python Lambda, I am executing the CloudFront operations with the assumed role passed from the CodePipeline role:
parameter in a standard way:
cloudfront_client = boto3.client('cloudfront')
Then, for returning the result, I use Session token like this:
key_id = job_data['artifactCredentials']['accessKeyId']
key_secret = job_data['artifactCredentials']['secretAccessKey']
session_token = job_data['artifactCredentials']['sessionToken']
session = Session(aws_access_key_id=key_id,
aws_secret_access_key=key_secret,
aws_session_token=session_token)
return session.client('codepipeline', config=botocore.client.Config(signature_version='s3v4'))
Am I missing something or maybe the artifactCredentials do not allow it? If that’s the case, how can I pass the result of Lambda from the target account to the original account? Thanks a lot in advance for support, I already spent 2 days trying to figure this out and I’m banging the wall it seems…
Issue Analytics
- State:
- Created 2 years ago
- Comments:12 (5 by maintainers)
Case reported: 8502989041.
I believe your are looking for the
bucketRegionalDomainName
property.