Cross-account pipeline doesn't generate sufficient permissions to deploy lambda in another account #3765
Comments
kamarouski
added
bug
skinny85
added
@aws-cdk/aws-codepipeline
|
(Customer hat on -- I don't work on CDK!) Can reproduce. The KMS key on the bucket artifact effectively prevents a CloudFormation pipeline action from starting (it can't even create a change set). Disabling KMS on the bucket and the individual object that's trying to be deployed will allow that to continue, but that's obviously not the right solution. |
|
Thanks @jpeddicord . The solution here is to add permissions to the deployment Role, not to disable encryption: myPipeline.artifactBucket.grantRead(myCloudFormationAction.deploymentRole);(this will include both the Bucket and the Key) Thanks, |
|
@skinny85 Thanks; that makes sense, and adding that did indeed attach some additional permissions to my bucket policy and key. However, I'm not sure that's it (or that it's all of the problem); even after applying that I still observe 403s at action time. Here's something probably relevant: the S3 bucket that the CDK configures for artifacts has the correct default encryption key. But when CodeBuild writes output objects to that bucket, they don't use the CDK's CMK. They use the "generic" AWS-managed |
|
Yes, that is a separate problem :). A workaround can be to set the Project key to be the same as the Pipeline's Key: new codebuild.PipelineProject(this, 'Project', {
// ...
encryptionKey: myPipeline.artifactBucket.encryptionKey,
});That should make it work. |
|
Awesome, there it is. Thanks for your help. Both of these things feel like things the CDK should implicitly do; cross-account or not. But I don't think I have the full picture of how that should work. Would these be considered bugs in the CDK, or user/documentation? |
|
The first one is a miss in the CDK (hence this issue 😊). The second... the jury's still out on that one :). |
…issions The deploymentRole used in the CloudFormation deployment CodePipeline actions was not granted explicit permissions to read from the pipeline's bucket. This meant the deployment failed in the cross-account case for templates that needed deploy-time access to the bucket (for example: templates including a Lambda function), as the pipeline bucket did not trust the deployment role. Fixes aws#3765
…issions The deploymentRole used in the CloudFormation deployment CodePipeline actions was not granted explicit permissions to read from the pipeline's bucket. This meant the deployment failed in the cross-account case for templates that needed deploy-time access to the bucket (for example: templates including a Lambda function), as the pipeline bucket did not trust the deployment role. Fixes aws#3765
…issions (#3855) The deploymentRole used in the CloudFormation deployment CodePipeline actions was not granted explicit permissions to read from the pipeline's bucket. This meant the deployment failed in the cross-account case for templates that needed deploy-time access to the bucket (for example: templates including a Lambda function), as the pipeline bucket did not trust the deployment role. Fixes #3765
🐛 Bug Report
What is the problem?
When using cross-account CloudFormation actions within pipeline to deploy Lambda the stack execution fails with the following error:
This happening because account deployment role doesn't have permissions to both artifacts bucket and KMS key used by the pipeline. CDK only generates permissions for pipeline action role.
Reproduction Steps
Result: Pipeline fails due to insufficient permissions to deploy lambda.
Environment
The text was updated successfully, but these errors were encountered: