codepipeline - Cross-account pass role is not allowed.

[soleyman-devops]

Describe the bug

I would really appreciate some help with this issue I am facing. I am looking to enable Cross Account Deployments using CodePipeline Actions. I do not want to use cdk pipelines, I know it does these permission stuff for you but it doesnt fit my project requirements.

Seeing a Cross-Account pass role is not allowed when aiming to deploy from Central CICD account to Target Dev Account.

It's unusual as the IAM role does have the iam:PassRole in the Policy Statement.

Expected Behavior

Expected behaviour is deployment successful to target dev account.

Current Behavior

// IAM Role in Target Account DEV
export class FoundationStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props)

    const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      assumedBy: new iam.AccountPrincipal('CicdAccountID'),
      roleName: 'Dev-Deployment-Role',
      description: 'Role for Dev for Code Pipeline to use'
    });

    crossAccountRole.addToPolicy(new iam.PolicyStatement({
      actions: ['cloudformation:*', 's3:*', 'iam:PassRole', 'sts:AssumeRole', 'kms:*', 'secretsmanager:*'], 
      resources: ['*'],
    }));
  }
  }

CICD Pipeline Stack in CICD Account

export class AwsCicdStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);


    const devCodePipelineRole = iam.Role.fromRoleArn(this, 
      'DevCrossAccountRole', 
      `arn:aws:iam::DevAccountID:role/Dev-Deployment-Role`, {
        mutable: false
    });

    // Output Artifacts
    const sourceOutput = new codepipeline.Artifact('SourceArtifact');
    const cdkOutputs = new codepipeline.Artifact('CDKOutputs')

    // CDK Build Stage
    const cdkBuild = new codebuild.PipelineProject(this, 'CDKBuild', {
      buildSpec: codebuild.BuildSpec.fromObject({
        version: '0.2',
        phases: {
          install: {
            commands: ['npm install -g aws-cdk', 'npm install']
          },
          build: {
            commands: ['npm run cdk synth']
          },
        },
        artifacts: {
          'base-directory': 'cdk.out',
          files: [`*.template.json`],
        }
      }),
      // Runtime env for CodeBuild
      environment: {
        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0
      },
      // encryptionKey: key
    })

    // Pipeline itself
  const pipeline = new codepipeline.Pipeline(this, "Pipline", {
      pipelineName: 'Foundational-Pipeline',
      crossAccountKeys: true,
      // role: pipelineRole,
      stages: [
        {
          stageName: 'Source',
          actions: [
            new codepipelineActions.GitHubSourceAction({
              actionName: 'Github',
              repo: 'aws-foundation',
              branch: 'main',
              oauthToken: cdk.SecretValue.secretsManager('xxxxx'),
              output: sourceOutput,
              owner: 'xxxxx',
              trigger: codepipelineActions.GitHubTrigger.WEBHOOK
            })
          ]
        },
        // Build CDK into CloudFormation
        {
          stageName: 'Build',
          actions: [
            new codepipelineActions.CodeBuildAction({
              actionName: 'CDK_Build',
              project: cdkBuild,
              input: sourceOutput,
              outputs: [new codepipeline.Artifact('CDKOutputs')],
              runOrder: 1
            })
          ]
        },
        {
          stageName: 'DeployDev',
          actions: [
            new codepipelineActions.CloudFormationCreateUpdateStackAction({
              actionName: 'DeployNetworkingStack',
              stackName: 'FoundationalNetworking',
              templatePath: cdkOutputs.atPath('FoundationStack.template.json'),
              adminPermissions: false,
              // cfnCapabilities: [cdk.CfnCapabilities.ANONYMOUS_IAM],
              role: devCodePipelineRole,
              deploymentRole: 
          })
          ]
        },
      ]
    });

    pipeline.addToRolePolicy(new iam.PolicyStatement({
      actions: ['sts:AssumeRole'],
      resources: [
        `arn:aws:iam::DevAccountID:role/Dev-Deployment-Role`
      ]
    }))
  }
}

Reproduction Steps

Deploy IAM Stack in one account and CICD Stack in another Account.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.101.1 (build 16ddad1)

Framework Version

No response

Node.js Version

Node.js v20.6.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

actions: [
            new codepipelineActions.CloudFormationCreateUpdateStackAction({
              actionName: 'DeployNetworkingStack',
              stackName: 'FoundationalNetworking',
              templatePath: cdkOutputs.atPath('FoundationStack.template.json'),
              adminPermissions: false,
              // cfnCapabilities: [cdk.CfnCapabilities.ANONYMOUS_IAM],
              role: devCodePipelineRole,
              deploymentRole: 
          })

According to the doc:

This role must be in the same account as the role for the action that is running, as configured in the action declaration RoleArn.

I guess you should use the role of the pipeline account instead.

[soleyman-devops]

Hi @pahud - thanks for confirming, codepipeline automatically gives the role of the same account the pipeline is running in ie source (cicd) account.

This is from codepipeline for DevDeployStage

arn:aws:iam::cicdaccount:role/CicdStack-PiplineDeployDevDeployNetwo-MgkbpDIX8hF6

[pahud]

I need to dive deep into this but probably related to #27484 (comment)

[pahud]

Closing in favor of #27484 (comment)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.