Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cross-account pipeline doesn't generate sufficient permissions to deploy lambda in another account

See original GitHub issue

🐛 Bug Report

What is the problem?

When using cross-account CloudFormation actions within pipeline to deploy Lambda the stack execution fails with the following error:

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for ARTIFACTS_BUCKET_PATH

Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException;

This happening because account deployment role doesn’t have permissions to both artifacts bucket and KMS key used by the pipeline. CDK only generates permissions for pipeline action role.

Reproduction Steps

  1. Create a pipeline that deploys lambda into another account
  2. Set lambda source code being from pipeline artifacts bucket
  3. Deploy generated supporting stack to lambda account
  4. Deploy pipeline stack to pipeline account
  5. Execute the pipeline

Result: Pipeline fails due to insufficient permissions to deploy lambda.


  • CDK CLI Version: 1.4.0
  • Module Version: 1.4.0
  • OS: OSX Mojave
  • Language: TypeScript

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

skinny85commented, Aug 26, 2019

Yes, that is a separate problem 😃. A workaround can be to set the Project key to be the same as the Pipeline’s Key:

new codebuild.PipelineProject(this, 'Project', {
  // ...
  encryptionKey: myPipeline.artifactBucket.encryptionKey,

That should make it work.

skinny85commented, Aug 26, 2019

Thanks @jpeddicord . The solution here is to add permissions to the deployment Role, not to disable encryption:


(this will include both the Bucket and the Key)

Thanks, Adam

Read more comments on GitHub >

github_iconTop Results From Across the Web

Managing Cross-Account Serverless Microservices
However, the Lambda permissions generated automatically by SAM are not sufficient for cross-account SNS subscription, which means you must ...
Read more >
Deploying an AWS Lambda from a different account
Granting permissions in Account_Bld to access Account_Dst is not sufficient to gain access to another account. This is good, because you ...
Read more >
CodeDeploy blue/green ECS Insufficient permissions
The CodeDeploy role has all the permissions documented to do a blue/green deployment. The only error I get is "Insufficient permissions. The provided...
Read more >
Solving permissions error with AWS CodePipeline
Solving permissions error with AWS CodePipeline. Unable to use Connection: arn:aws:codestar-connections — The provided role does not have sufficient permissions.
Read more >
What's the best way to do cross-account CDK deployment?
I have a codepipeline that checks out cdk code from codecommit repo and deploy the resources to another account by running the `cdk...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found