Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation for CodeBuild project's key being different than the pipeline's key #4033

Closed
skinny85 opened this issue Sep 11, 2019 · 0 comments · Fixed by #4183
Closed

Add validation for CodeBuild project's key being different than the pipeline's key #4033

skinny85 opened this issue Sep 11, 2019 · 0 comments · Fixed by #4183
Assignees
@skinny85
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-codepipeline Related to AWS CodePipeline

Comments

@skinny85
Copy link
Contributor

The CodeBuild action ignores the EncryptionKey part of the CodePipeline's ArtifactStore, and always uses they KMS key that was set on the project itself (the default account key if none was set). This is a problem in cross-account pipelines, as the other actions will get an 'Access Denied' when trying to read artifacts encrypted with a key they don't have permissions for.

  • Add validation that fails if a customer tries to create a pipeline with at least 1 cross-account action, with a CodeBuild action whose project has key set to something different than the artifact bucket key
  • Create an issue in our backlog that points to the CodeBuild troubleshooting guide, and add a link to this issue to the validation message created above
  • Consider adding a property like skipCrossAccountKeyValidation: boolean (default: false) that allows a customer to get rid of this validation once CodeBuild fixes the issue without having to update their CDK version. Later we can deprecate that field, remove the validation and never use the property anymore
@skinny85 skinny85 added @aws-cdk/aws-codepipeline Related to AWS CodePipeline @aws-cdk/aws-codebuild Related to AWS CodeBuild labels Sep 11, 2019
@skinny85 skinny85 self-assigned this Sep 11, 2019
@skinny85 skinny85 mentioned this issue Sep 21, 2019
Merged
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 5, 2019
@skinny85
fix(codepipeline): work around CodeBuild's pipeline key bug
baa0c1c 
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes aws#4033
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 5, 2019
@skinny85
fix(codepipeline): work around CodeBuild's pipeline key bug
1aea68b 
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes aws#4033
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 7, 2019
@skinny85
fix(codepipeline): work around CodeBuild's pipeline key bug
81d0da7 
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes aws#4033
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 8, 2019
@skinny85
fix(codepipeline): work around CodeBuild's pipeline key bug
bab6104 
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes aws#4033
@mergify mergify bot closed this as completed in #4183 Oct 17, 2019
mergify bot pushed a commit that referenced this issue Oct 17, 2019
@skinny85 @mergify
fix(codepipeline): work around CodeBuild's pipeline key bug (#4183)
b149b02 
CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes #4033
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-codepipeline Related to AWS CodePipeline
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codepipeline): work around CodeBuild's pipeline key bug skinny85/aws-cdk
1 participant
@skinny85