Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codepipeline): insufficient deploy cross-account CFN role S3 permissions #3855

Merged
merged 1 commit into from
Aug 29, 2019
Merged

fix(codepipeline): insufficient deploy cross-account CFN role S3 permissions #3855

merged 1 commit into from
Aug 29, 2019

Conversation

skinny85
Copy link
Contributor

The deploymentRole used in the CloudFormation deployment CodePipeline actions
was not granted explicit permissions to read from the pipeline's bucket.
This meant the deployment failed in the cross-account case
for templates that needed deploy-time access to the bucket
(for example: templates including a Lambda function),
as the pipeline bucket did not trust the deployment role.

Fixes #3765

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@skinny85 skinny85 requested a review from eladb August 29, 2019 00:54
@skinny85 skinny85 self-assigned this Aug 29, 2019
@mergify
Copy link
Contributor

mergify bot commented Aug 29, 2019
edited by eladb

Pull Request Checklist

  • Testing
  • Unit test added (prefer to add a new test rather than modify existing tests)
  • CLI change? Re-run/add CLI integration tests
  • Documentation
  • Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
  • README: update module README
  • Design: for significant features, follow the design process
  • Title uses the format type(scope): text
  • Type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • Style: use all lower-case, do not end with a period
  • Description
  • Rationale: describe rationale of change and approach taken
  • Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Sensitive Modules (requires 2 PR approvers)
  • IAM document library (in @aws-cdk/aws-iam)
  • EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (if not based on official documentation with a reference)

@mergify
Copy link
Contributor

mergify bot commented Aug 29, 2019

Pull Request Checklist

  • Testing
  • Unit test added (prefer to add a new test rather than modify existing tests)
  • CLI change? Re-run/add CLI integration tests
  • Documentation
  • Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
  • README: update module README
  • Design: for significant features, follow the design process
  • Title uses the format type(scope): text
  • Type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • Style: use all lower-case, do not end with a period
  • Description
  • Rationale: describe rationale of change and approach taken
  • Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Sensitive Modules (requires 2 PR approvers)
  • IAM document library (in @aws-cdk/aws-iam)
  • EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (if not based on official documentation with a reference)

eladb
eladb previously approved these changes Aug 29, 2019
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Funny! this is exactly what discussed yesterday!

@skinny85
fix(codepipeline): insufficient deploy cross-account CFN role S3 perm…
1d01721 
…issions

The deploymentRole used in the CloudFormation deployment CodePipeline actions
was not granted explicit permissions to read from the pipeline's bucket.
This meant the deployment failed in the cross-account case
for templates that needed deploy-time access to the bucket
(for example: templates including a Lambda function),
as the pipeline bucket did not trust the deployment role.

Fixes aws#3765
@skinny85 skinny85 force-pushed the fix/cross-account-cfn-pipeline-perms branch from 54ced1f to 1d01721 Compare August 29, 2019 17:16
@skinny85
Copy link
Contributor Author

Rebasing, as for some reason the CodeBuild job was never triggered...?

@mergify mergify bot dismissed eladb’s stale review August 29, 2019 17:16

Pull request has been modified.

@skinny85 skinny85 added pr/do-not-merge This PR should not be merged at this time. and removed automerge-enabled labels Aug 29, 2019
@mergify
Copy link
Contributor

mergify bot commented Aug 29, 2019

Pull Request Checklist

  • Testing
  • Unit test added (prefer to add a new test rather than modify existing tests)
  • CLI change? Re-run/add CLI integration tests
  • Documentation
  • Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
  • README: update module README
  • Design: for significant features, follow the design process
  • Title uses the format type(scope): text
  • Type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • Style: use all lower-case, do not end with a period
  • Description
  • Rationale: describe rationale of change and approach taken
  • Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Sensitive Modules (requires 2 PR approvers)
  • IAM document library (in @aws-cdk/aws-iam)
  • EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (if not based on official documentation with a reference)

@skinny85 skinny85 merged commit 09304f7 into aws:master Aug 29, 2019
@skinny85 skinny85 deleted the fix/cross-account-cfn-pipeline-perms branch August 29, 2019 18:19
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 27, 2019
@RichardChester RichardChester mentioned this pull request Dec 1, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb left review comments

Assignees

@skinny85 skinny85

Labels
contribution/core This is a PR that came from AWS. pr/do-not-merge This PR should not be merged at this time.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cross-account pipeline doesn't generate sufficient permissions to deploy lambda in another account
3 participants
@skinny85 @eladb @NGL321