[codepipeline] Issues with default created roles for actions
See original GitHub issueReproduction Steps
I have set a role to a pipeline with multiple actions :
const Codepipeline = new codepipeline.Pipeline(this, 'Codepipeline', {
role: IamRoleCodepipeline,
stages: [
{
stageName: 'DEV',
actions: [
new codepipeline_actions.ManualApprovalAction({
actionName: 'Deploy-Validation',
notificationTopic: SnsTopicCodepipeline,
runOrder: 1
}),
In that case, CDK create additional roles for each actions (useless because permissions are in the “main” role defined at the beginning). Ok, it’s interesting to give the selected permissions for each actions, a best practice.
But in that case I have an error at this CodePipeline stage when executing it :
The provided role cannot be assumed: 'Access denied when attempting to assume the role 'arn:aws:iam::123456789:role/pipeline-ecs-CodepipelineDEVD-1P2J04U72KI7H''
And indeed, in Trusted entities of the “default role” created on our behalf, I have the Account ID where CodePipeline is deployed; and no access for Codepipeline Service !
So, to prevent that, I have to set the prop role: IamRoleCodepipeline,
for each actions to get it works.
What did you expect to happen?
If we set/create and attach a role to CodePipeline, no need te create “default” roles on our behalf. That role must have the priority (it’s the case when using/creating via CloudFormation).
Maybe add a prop (boolean) to create a default role on each actions needed if wanted ?
What actually happened?
Actually, I have plenty of role created by default for each actions, useless in my case. I just want to set 1 role for Codepipeline and set some other when, for example, I need to set a Role created on another account to STS on it.
Environment
- **CLI Version :CDK 1.60.0
- **Framework Version:6.14.8
- **Node.js Version:v12.15.0
- **OS :Linux
- **Language (Version):*TypeScript *
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:11 (5 by maintainers)
Top GitHub Comments
Any updates on this issue? In our case we have around 150 pipelines right now and they created like 1500 IAM roles (around 10 per pipeline) that is quite big amount. Maybe we have some workaround to reduce this number?
Just to clarify: if you’re using that Role just as the Role for a CodeBuild Project Action, you do not need to trust the CodeBuild principal in that Role.
Only the Project’s Role needs to do that.