Cross-account pipeline doesn't generate sufficient permissions to deploy lambda in another account
See original GitHub issue🐛 Bug Report
What is the problem?
When using cross-account CloudFormation actions within pipeline to deploy Lambda the stack execution fails with the following error:
Your access has been denied by S3, please make sure your request credentials have permission to GetObject for ARTIFACTS_BUCKET_PATH
Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;
This happening because account deployment role doesn’t have permissions to both artifacts bucket and KMS key used by the pipeline. CDK only generates permissions for pipeline action role.
Reproduction Steps
- Create a pipeline that deploys lambda into another account
- Set lambda source code being from pipeline artifacts bucket
- Deploy generated supporting stack to lambda account
- Deploy pipeline stack to pipeline account
- Execute the pipeline
Result: Pipeline fails due to insufficient permissions to deploy lambda.
Environment
- CDK CLI Version: 1.4.0
- Module Version: 1.4.0
- OS: OSX Mojave
- Language: TypeScript
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Managing Cross-Account Serverless Microservices
However, the Lambda permissions generated automatically by SAM are not sufficient for cross-account SNS subscription, which means you must ...
Read more >Deploying an AWS Lambda from a different account
Granting permissions in Account_Bld to access Account_Dst is not sufficient to gain access to another account. This is good, because you ...
Read more >CodeDeploy blue/green ECS Insufficient permissions
The CodeDeploy role has all the permissions documented to do a blue/green deployment. The only error I get is "Insufficient permissions. The provided...
Read more >Solving permissions error with AWS CodePipeline
Solving permissions error with AWS CodePipeline. Unable to use Connection: arn:aws:codestar-connections — The provided role does not have sufficient permissions.
Read more >What's the best way to do cross-account CDK deployment?
I have a codepipeline that checks out cdk code from codecommit repo and deploy the resources to another account by running the `cdk...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yes, that is a separate problem 😃. A workaround can be to set the Project key to be the same as the Pipeline’s Key:
That should make it work.
Thanks @jpeddicord . The solution here is to add permissions to the deployment Role, not to disable encryption:
(this will include both the Bucket and the Key)
Thanks, Adam