-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add validation for CodeBuild project's key being different than the pipeline's key #4033
Labels
@aws-cdk/aws-codebuild
Related to AWS CodeBuild
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
Comments
skinny85
added
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
@aws-cdk/aws-codebuild
Related to AWS CodeBuild
labels
Sep 11, 2019
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 5, 2019
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket, instead always using the project's key (the account's default S3 key if the project key has not been set). This makes the CodeBuild actions unusable in a cross-account pipeline, as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts. The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action. Fixes aws#4033
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 5, 2019
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket, instead always using the project's key (the account's default S3 key if the project key has not been set). This makes the CodeBuild actions unusable in a cross-account pipeline, as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts. The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action. Fixes aws#4033
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 7, 2019
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket, instead always using the project's key (the account's default S3 key if the project key has not been set). This makes the CodeBuild actions unusable in a cross-account pipeline, as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts. The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action. Fixes aws#4033
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 8, 2019
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket, instead always using the project's key (the account's default S3 key if the project key has not been set). This makes the CodeBuild actions unusable in a cross-account pipeline, as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts. The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action. Fixes aws#4033
mergify bot
pushed a commit
that referenced
this issue
Oct 17, 2019
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket, instead always using the project's key (the account's default S3 key if the project key has not been set). This makes the CodeBuild actions unusable in a cross-account pipeline, as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts. The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action. Fixes #4033
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
@aws-cdk/aws-codebuild
Related to AWS CodeBuild
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
The CodeBuild action ignores the
EncryptionKey
part of the CodePipeline'sArtifactStore
, and always uses they KMS key that was set on the project itself (the default account key if none was set). This is a problem in cross-account pipelines, as the other actions will get an 'Access Denied' when trying to read artifacts encrypted with a key they don't have permissions for.skipCrossAccountKeyValidation: boolean
(default:false
) that allows a customer to get rid of this validation once CodeBuild fixes the issue without having to update their CDK version. Later we can deprecate that field, remove the validation and never use the property anymoreThe text was updated successfully, but these errors were encountered: