By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross-Account CodePipeline Role not Authorized to Access CodeCommit in Same-Region Separate Account

0

Hi, I have an account called "Dev" and an Account called "Stage1". Dev hosts my codecommit repos and each repo has a branch corresponding to the deployment environment (e.g. development, stage1, prod, etc.)

Dev has a role called deployer and an associated IAM Role Policy with the following rules.

Role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codecommit.amazonaws.com",
                    "codepipeline.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Associated Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:*",
                "s3:*",
                "codecommit:*",
                "codedeploy:*",
                "codepipeline:*",
                "secretsmanger:*",
                "rds:*",
                "cloudformation:*",
                "appsync:*",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<stage-account-number>:role/stage-adminportal-dev_codepipeline_role"
        }
    ]
}

Stage has a CodePipeline project with a source stage like so:

       stage {
          name = "Source"

          action {
              category         = "Source"
              configuration    = {
                  "BranchName"     = "stage1"
                  "RepositoryName" = "Dev-AdminPortal"
                }
              name             = "Source"
              output_artifacts = [
                  "source_output",
                ]
              owner            = "AWS"
              provider         = "CodeCommit"
              region           = "us-east-1"
              role_arn         = "arn:aws:iam::<dev-account-number>:role/it-deployer-role"
              run_order        = (known after apply)
              version          = "1"
            }
        }

Stage has a role policy like so that is attached to the codepipeline role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codecommit.amazonaws.com",
                    "codepipeline.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetBucketVersioning",
                "s3:PutObject",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey",
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:s3:::stage-adminportal-dev-codepipeline-bucket",
                "arn:aws:s3:::stage-adminportal-dev-codepipeline-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:*",
                "codecommit:*",
                "codepipeline:*",
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::<dev-account-number>:role/fl-stage-adminportal-dev_codepipeline_role",
                "arn:aws:iam::<dev-account-number>:role/fl-it-deployer-role",
                "arn:aws:kms::<dev-account-number>",
                "arn:aws:codecommit::<dev-account-number>"
            ]
        }
    ]
}

No matter where I add permissions for stage codepipeline to access dev code commit, I get the following error

Error: Error creating CodePipeline: InvalidStructureException: arn:aws:iam::<stage-account-number>:role/stage-adminportal-dev_codepipeline_role is not authorized to perform AssumeRole on role arn:aws:iam::<dev-account-number>:role/it-deployer-role

I'm obviously missing something, but not seeing it at the moment. Please advise if you can. Thanks.

Topics
Developer Tools
Tags
AWS CodePipelineAWS CodeCommit
Language
English
rePost-User-9949303
asked a year ago347 views
1 Answer
0

One thing I noticed - The Dev role should allow the Stage1 account to assume the role. Hence, Principal should be the Stage1 account number.

The following AWS blog: https://aws.amazon.com/blogs/devops/aws-building-a-secure-cross-account-continuous-delivery-pipeline/ has a similar architecture wherein CodeCommit is in a Dev AWS account while CodePipeline is in another. You can refer to this blog and corresponding CloudFormation templates to check the IAM role and policy configuration used.

profile picture
joahna
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content