aws_codepipeline: cross account pass role not allowed #28325

SoleyDigital · 2023-12-11T13:31:33Z

Describe the bug

I am building a cross-account pipeline from target account to source account, using aws_codepipeline with CDK.

I am getting an error during deploy stage, Cross-Account pass role not allowed.

I have double checked permissions from target and source to allow assume of the role, along with bootstrapping accounts together but still no success.

export class AwsCicdStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Pipeline IAM
    const pipelineRole = new iam.Role(this, 'CodePipelineRole', {
      roleName: 'FoundationCodePipelineRole',
      assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com'),
    })

    // // Pipeline Assume Dev Role
    pipelineRole.addToPolicy(new iam.PolicyStatement({
      actions: ['sts:AssumeRole'],
      resources: [ 
        'arn:aws:iam::devaccountid:role/Dev-Deployment-Role'
      ],
    }))

    // Output Artifacts
    const sourceOutput = new codepipeline.Artifact('SourceArtifact');
    const cdkOutputs = new codepipeline.Artifact('CDKOutputs')

    // CDK Build Stage
    const cdkBuild = new codebuild.PipelineProject(this, 'CDKBuild', {
      buildSpec: codebuild.BuildSpec.fromObject({
        version: '0.2',
        phases: {
          install: {
            commands: ['npm install -g aws-cdk', 'npm install']
          },
          build: {
            commands: ['npm run cdk synth']
          },
        },
        artifacts: {
          'base-directory': 'cdk.out',
          files: [`*.template.json`],
        }
      }),
      // Runtime env for CodeBuild
      environment: {
        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0
      },
      // encryptionKey: key
    })
const pipeline = new codepipeline.Pipeline(this, "Pipeline", {
      pipelineName: 'Foundational-Pipeline',
      crossAccountKeys: true,
      role: pipelineRole,
      stages: [
        {
          stageName: 'Source',
          actions: [
            new codepipelineActions.GitHubSourceAction({
              actionName: 'Github',
              repo: 'ops-aws-foundation',
              branch: 'main',
              oauthToken: cdk.SecretValue.secretsManager('xxxx'),
              output: sourceOutput,
              owner: 'xxxx',
              trigger: codepipelineActions.GitHubTrigger.WEBHOOK
            })
          ]
        },
        // Build CDK into CloudFormation
        {
          stageName: 'Build',
          actions: [
            new codepipelineActions.CodeBuildAction({
              actionName: 'CDK_Build',
              project: cdkBuild,
              input: sourceOutput,
              outputs: [new codepipeline.Artifact('CDKOutputs')],
              runOrder: 1
            })
          ]
        },
        {
          stageName: 'DeployDev',
          actions: [
            new codepipelineActions.CloudFormationCreateUpdateStackAction({
              actionName: 'DeployNetworkingStack',
              stackName: 'FoundationalNetworking',
              templatePath: cdkOutputs.atPath('AwsFoundationStack.template.json'),
              adminPermissions: true,
              deploymentRole: iam.Role.fromRoleArn(this, 'role', 'arn:aws:iam::devaccountid:role/Dev-Deployment-Role')
          })
          ]
        },
      ]
    });

    pipeline.addToRolePolicy(new iam.PolicyStatement({
      actions: ['sts:AssumeRole'],
      resources: [
        `arn:aws:iam::devaccountid:role/Dev-Deployment-Role`
      ]
    }))
  }
}

Expected Behavior

Allow source account to deploy to target account.

Current Behavior

Deploy stage is failing and error cross account pass role not allowed

Reproduction Steps

        {
          stageName: 'DeployDev',
          actions: [
            new codepipelineActions.CloudFormationCreateUpdateStackAction({
              actionName: 'DeployNetworkingStack',
              stackName: 'FoundationalNetworking',
              templatePath: cdkOutputs.atPath('FoundationStack.template.json'),
              adminPermissions: true,
              deploymentRole: iam.Role.fromRoleArn(this, 'role', 'arn:aws:iam::devaccountid:role/Dev-Deployment-Role')),
          })
          ]
        },

Possible Solution

Additional Information/Context

No response

CDK CLI Version

2.111.0

Framework Version

No response

Node.js Version

20.6.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2023-12-11T21:14:05Z

Let's track this issue in #27484 (comment)

Closing for duplicate.

github-actions · 2023-12-11T21:14:23Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

SoleyDigital added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 11, 2023

github-actions bot added the @aws-cdk/aws-codepipeline Related to AWS CodePipeline label Dec 11, 2023

pahud closed this as completed Dec 11, 2023

pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 11, 2023

github-actions bot mentioned this issue Jan 1, 2024

Monthly issue metrics report - Dec 2023 #28543

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_codepipeline: cross account pass role not allowed #28325

aws_codepipeline: cross account pass role not allowed #28325

SoleyDigital commented Dec 11, 2023

pahud commented Dec 11, 2023

github-actions bot commented Dec 11, 2023