Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CodePipeline fails Build stage due to Permission Error #254

Closed
youngjeong46 opened this issue Jan 3, 2022 · 4 comments
Closed

[BUG] CodePipeline fails Build stage due to Permission Error #254

youngjeong46 opened this issue Jan 3, 2022 · 4 comments
Assignees
@shapirov103
Projects
Roadmap

Comments

@youngjeong46
Copy link
Collaborator

Implementing a pipeline to deploy stack require permissions currently not provided. Once the pipeline starts, build fails on npx cdk synth and prints the following error message:

(node:167) UnhandledPromiseRejectionWarning: Error: AccessDeniedException: User: arn:aws:sts::181460066119:assumed-role/starter-pipeline-stack-sspeksworkshoppipelinePipel-1AU1L2JPX68KL/AWSCodeBuild-9fc2fe77-47e4-472d-a7a2-038153065704 is not authorized to perform: secretsmanager:GetSecretValue on resource: argo-admin-secret because no identity-based policy allows the secretsmanager:GetSecretValue action

Workaround is to manually add admin privileges to CodeBuild service role, but this should be automatically implemented as part of the framework.
@tsahiduek
Copy link
Contributor

tsahiduek commented Apr 24, 2022
edited
Loading

Hi,
Any progress with this? Although it's a one-time manual operation, it something that would be nice to automate/as-code.

Does the fix requires adding to this method, implementation of codeBuildDefaults as documented in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html#customizing-codebuild-projects?

@shapirov103
Copy link
Collaborator

Agree with the reasoning.
The codebuild defaults was not available at the time of writing. We can enable passing additional poliicies or a role for the codebuild part of the pipeline.
It will be added shortly, in the next minor elease 1.1.0 along with GitOps driven add-on configuration.

@tsahiduek
Copy link
Contributor

Hi @shapirov103 ,
I was able to "narrow down" the policy needed here (see multi-env pattern doc
It works for me with the following

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "cloudformation:*"
            ],
            "Resource": "*"
        }
    ]
}

@shapirov103 shapirov103 self-assigned this Jul 28, 2022
@shapirov103 shapirov103 added this to In Progress in Roadmap Jul 28, 2022
shapirov103 added a commit that referenced this issue Aug 16, 2022
@shapirov103
Addressing #254: default code build policies allow lookups including …
8d4b087 
…secrets
@shapirov103 shapirov103 mentioned this issue Aug 17, 2022
Merged
@shapirov103
Copy link
Collaborator

Verified (@tsahiduek), closing the issue. Happy to re-open if there is anything pending.

@shapirov103 shapirov103 moved this from In Progress to Done in Roadmap Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shapirov103 shapirov103

Labels
None yet
Projects
Roadmap
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@youngjeong46 @tsahiduek @shapirov103