Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

resource access to secrets manager for bitbucket sourceaction

See original GitHub issue

    // SourceAction
    const sourceAction = new BitBucketSourceAction({
        actionName: 'BitbucketSource',
        owner: 'ownername',
        repo: repoName,
        output: sourceOutputArtifact,
        connectionArn: SecretValue.secretsManager('BBCloudConnection').toString(),
    })

This is what the source action looks like. I need it to be able to access connectionArn from SecretValue. It fails due to lack of permissions at the moment. Where should the resource permission be added? I am using the pipeline from https://github.com/awslabs/aws-simple-cicd

Action in deploymentPolicy looks as follows:

        Action:
            - 'cloudformation:*'
            - 'iam:*'
            - 'lambda:*'
            - 'ecs:*'
            - 'ecr:*'
            - 'logs:*'
            - 'ec2:*'
            - 'ssm:*'
            - 'secretsmanager:*'

i.e have added ‘secretsmanager:*’ at the bottom

As of now, I get the following error if I use secretsManager:

17/49 | 2:14:10 a.m. | CREATE_FAILED | AWS::IAM::Policy | backend--854-pipeline-backend-setup-pipeline/Source/BitbucketSource/CodePipelineActionRole/DefaultPolicy (backendVLNCC854pipelinebackendsetuppipelineSourceBitbucketSourceCodePipelineActionRoleDefaultPolicy41F7C61D) Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 62b6fb1c-77b0-432c-b907-2e409ff7c538; Proxy: null)

The secret was created manually on console and has the following resource permissions:

{ “Version” : “2012-10-17”, “Statement” : [ { “Effect” : “Allow”, “Principal” : { “AWS” : “arn:aws:iam::1111111111:role/deployment-role” }, “Action” : “secretsmanager:GetSecretValue”, “Resource” : “*” } ] }

Issue Analytics

State:
Created 3 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

1reaction

skinny85commented, Dec 4, 2020

@s1mrankaur you can create your own Role, and pass it when creating the BitBucketSourceAction. For that Role, you can add any permissions you need.

Hope that helps!

Thanks, Adam

0reactions

github-actions[bot]commented, Jan 20, 2021

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Top Results From Across the Web

AWS::CodeBuild::SourceCredential - AWS CloudFormation

Information about the credentials for a GitHub, GitHub Enterprise, or Bitbucket repository. We strongly recommend that you use AWS Secrets Manager to store ......

allow read access to secretsmanagr in cdk pipeline

SourceAction const sourceAction = new BitBucketSourceAction({ actionName: ... As of now, I get the following error if I use secretsManager:.

Use Amazon Secrets Manager to track database passwords or ...

The following related resources can help you as you work with managing secrets. Secrets Manager can rotate database credentials automatically, such as for ......

aws_codestarconnections_conn...

Example Usage. resource "aws_codestarconnections_connection" "example" { name = "example-connection" provider_type = "Bitbucket" } resource ...

Create a secret | Secret Manager Documentation | Google Cloud

Add a secret version. Secret Manager automatically versions secret data using secret versions, and most operations like access, destroy, disable, and enable ...