Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(CdkPipeline): CdkPipeline source stage fails in a cross account setup #14156

Closed
ganeshnj opened this issue Apr 13, 2021 · 6 comments · Fixed by #14260
Closed

(CdkPipeline): CdkPipeline source stage fails in a cross account setup #14156

ganeshnj opened this issue Apr 13, 2021 · 6 comments · Fixed by #14260
Assignees
@rix0rrr
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@ganeshnj
Copy link

ganeshnj commented Apr 13, 2021
edited
Loading

CDKPipeline fails to clone repository that exists in a different AWS Account.

Reproduction Steps

Sample: https://github.com/ganeshnj/cdk-pipeline-cross-account-sample

  1. synth & deploy
npx cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{pipeline-account-id}/us-west-2
npx cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --trust {pipeline-account-id} aws://{source-account-id}/us-west-2 --profile source
cdk synth
cdk deploy --all
  1. Branch not found issue
The action failed because no branch named main was found in the selected AWS CodeCommit repository MyRepository. Make sure you are using the correct branch name, and then try again. Error: null

  1. Go to the source AWS account and create a main branch.

  2. Try again source stage.

  3. Permissions issue

The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named {bucket-name}. Update the IAM role permissions, and then try again. Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: {Request ID}; S3 Extended Request ID: {Extended Request ID}; Proxy: null)

What did you expect to happen?

Source stage should succeed

What actually happened?

Source stage failed with permission error.

Environment

  • CDK CLI Version : 1.98.0 (build 79f4512)
  • Framework Version:
  • Node.js Version: v12.18.4
  • OS : Windows 10
  • Language (Version): C#

Other

This is 🐛 Bug Report
@ganeshnj ganeshnj added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2021
@peterwoodworth peterwoodworth added the @aws-cdk/pipelines CDK Pipelines library label Apr 14, 2021
@skinny85
Copy link
Contributor

Hey @ganeshnj ,

thanks for opening the issue. I'm trying to reproduce it right now.

Before I do, I'm wondering whether the problem might be that you're creating a completely new CodeCommit repository here, and it's empty.

Can you try pushing some commits to the repository, and see if that changes anything?

Thanks,
Adam

@ganeshnj
Copy link
Author

Repo with commits on main branch also has the same behavior.

I kept the example simple so that during reproduction minimum manual steps are required.

@skinny85
Copy link
Contributor

OK, I've managed to reproduce the error in my own setup. Digging in to what's causing it.

@skinny85
Copy link
Contributor

OK. The problem seems to be the "@aws-cdk/aws-s3:grantWriteWithoutAcl": true line in cdk.json. If you switch it to "@aws-cdk/aws-s3:grantWriteWithoutAcl": false, and then re-deploy all Stacks (cdk deploy \*), the Action succeeds again.

@ganeshnj can you let me know if it fixes it for you?

Looks like the CodeCommit source Action needs those permissions in the cross-account case. I'll prepare a PR adding them back in.

skinny85 added a commit to skinny85/aws-cdk that referenced this issue Apr 19, 2021
@skinny85
fix(codepipeline-actions): CodeCommit source action fails when it's c…
2af1162 
…ross-account

Apparently, when removing the s3:PutObject* permissions in aws#12391,
we broke the CodeCommitSourceAction when it's cross-account.

Not entirely sure why is that permission required only when the action is cross-account,
but I have confirmed this fixes the problem,
so add an explicit call to `Bucket.grantPutAcl()`
when the actions is cross-account.

Fixes aws#14156
@skinny85 skinny85 mentioned this issue Apr 19, 2021
Merged
@mergify mergify bot closed this as completed in #14260 Apr 21, 2021
mergify bot pushed a commit that referenced this issue Apr 21, 2021
@skinny85
fix(codepipeline-actions): CodeCommit source action fails when it's c…
1508e60 
…ross-account (#14260)

Apparently, when removing the s3:PutObject* permissions in #12391,
we broke the CodeCommitSourceAction when it's cross-account.

Not entirely sure why is that permission required only when the action is cross-account,
but I have confirmed this fixes the problem,
so add an explicit call to `Bucket.grantPutAcl()`
when the actions is cross-account.

Fixes #14156

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@ganeshnj
Copy link
Author

Apologies, I couldn't get in time.

I confirm, "@aws-cdk/aws-s3:grantWriteWithoutAcl": false, fixes the issue.

john-tipper pushed a commit to john-tipper/aws-cdk that referenced this issue May 10, 2021
@skinny85 @john-tipper
fix(codepipeline-actions): CodeCommit source action fails when it's c…
2934af6 
…ross-account (aws#14260)

Apparently, when removing the s3:PutObject* permissions in aws#12391,
we broke the CodeCommitSourceAction when it's cross-account.

Not entirely sure why is that permission required only when the action is cross-account,
but I have confirmed this fixes the problem,
so add an explicit call to `Bucket.grantPutAcl()`
when the actions is cross-account.

Fixes aws#14156

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
@skinny85 @hollanddd
fix(codepipeline-actions): CodeCommit source action fails when it's c…
8de088e 
…ross-account (aws#14260)

Apparently, when removing the s3:PutObject* permissions in aws#12391,
we broke the CodeCommitSourceAction when it's cross-account.

Not entirely sure why is that permission required only when the action is cross-account,
but I have confirmed this fixes the problem,
so add an explicit call to `Bucket.grantPutAcl()`
when the actions is cross-account.

Fixes aws#14156

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codepipeline-actions): CodeCommit source action fails when it's cross-account skinny85/aws-cdk
4 participants
@skinny85 @rix0rrr @ganeshnj @peterwoodworth