Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cross-account pipeline doesn't generate sufficient permissions to deploy lambda in another account

See original GitHub issue

🐛 Bug Report

What is the problem?

When using cross-account CloudFormation actions within pipeline to deploy Lambda the stack execution fails with the following error:

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for ARTIFACTS_BUCKET_PATH

Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;

This happening because account deployment role doesn’t have permissions to both artifacts bucket and KMS key used by the pipeline. CDK only generates permissions for pipeline action role.

Reproduction Steps

Create a pipeline that deploys lambda into another account
Set lambda source code being from pipeline artifacts bucket
Deploy generated supporting stack to lambda account
Deploy pipeline stack to pipeline account
Execute the pipeline

Result: Pipeline fails due to insufficient permissions to deploy lambda.

Environment

CDK CLI Version: 1.4.0
Module Version: 1.4.0
OS: OSX Mojave
Language: TypeScript

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:6 (3 by maintainers)

Top GitHub Comments

5reactions

skinny85commented, Aug 26, 2019

Yes, that is a separate problem 😃. A workaround can be to set the Project key to be the same as the Pipeline’s Key:

new codebuild.PipelineProject(this, 'Project', {
  // ...
  encryptionKey: myPipeline.artifactBucket.encryptionKey,
});

That should make it work.

2reactions

skinny85commented, Aug 26, 2019

Thanks @jpeddicord . The solution here is to add permissions to the deployment Role, not to disable encryption:

myPipeline.artifactBucket.grantRead(myCloudFormationAction.deploymentRole);

(this will include both the Bucket and the Key)

Thanks, Adam

Top Results From Across the Web

Managing Cross-Account Serverless Microservices

However, the Lambda permissions generated automatically by SAM are not sufficient for cross-account SNS subscription, which means you must ...

Deploying an AWS Lambda from a different account

Granting permissions in Account_Bld to access Account_Dst is not sufficient to gain access to another account. This is good, because you ...

CodeDeploy blue/green ECS Insufficient permissions

The CodeDeploy role has all the permissions documented to do a blue/green deployment. The only error I get is "Insufficient permissions. The provided...

Solving permissions error with AWS CodePipeline

Solving permissions error with AWS CodePipeline. Unable to use Connection: arn:aws:codestar-connections — The provided role does not have sufficient permissions.

What's the best way to do cross-account CDK deployment?

I have a codepipeline that checks out cdk code from codecommit repo and deploy the resources to another account by running the `cdk...