I've been trying to set up a pipeline in CodePipeline which deploys services from one account to another. But I just keep getting this error:
Cross-account pass role is not allowed (Service: AmazonCloudFormation; Status Code: 403; Error Code: AccessDenied;
Here I have 2 accounts:
Deployment account: Here I have the CodeCommit repo with the template I want to deploy. This is the source of CodePipeline which is in the same account. From the deployment account I want to deploy a stack into the test account though CloudFormation.
Test account: Here I want to deploy the stack. Here I have a cross-account role which gives CloudFormation the permission to use all services I want to use. This role also has a trust relationship with the deployment account.
So I want the pipeline in the deploy account to deploy a stack in the test account.
Pipeline settings:
For CodePipeline I've set up a role which has the assume (test account)role statement.
For CloudFormation I've used the cross-account role which is created in the test account.
When i test the pipeline it keeps getting the error I've stated above.
Anyone has an idea what I'm doing wrong?
Related
Is it possible to use a single IAM role (which can access another role) to deploy resources with environment variables CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION?
For example: Below is a piece of code from Jenkinsfile , which uses a role to deploy resources in the account of which it a part.
script
{
withCredentials([string(credentialsId: "sample-role-arn", variable: 'ARN'), string(credentialsId: "sample-role-extid", variable: 'EXT_ID')])
{
withAWS(role: "${ARN}", externalId: "${EXT_ID}", region: "${AWS_REGION}"){
sh '''
cdk deploy --all
'''
}
}
}
In this code sample-role-arn is defined in the account in which cdk deploy --all will deploy the resources. If the CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION are set to different values of which sample-role-arn is not a part, the cdk deploy --all will through error: Could not assume role in target account using current credentials (which are for account xxxxxx) User: arn:aws:sts::xxxx:assumed-role/sample-role-arn/xxx is not authorized to perform: sts:AssumeRole on resource is is expected.
However, if role is created in account set by CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION and made sample-role-arn as trusted entity, yet the same error as mentioned above is encountered despite the fact that sample-role-arn is a trusted entity.
Could someone please advise, if this is possible?
I am fairly new to AWS. I am trying to learn it by doing. I have a root user and an IAM user with admin rights and many other rights.
I deployed a example simple stack by CDK. I followed some online tutorials. The Deployment was successful by cdk.
I log in to the AWS console by the browser. I navigate to CloudFormation and clicked Stacks. I got this error:-
Your account is not a member of an organization. (Service: AWSOrganizationsV20161128; Status Code: 400; Error Code: AWSOrganizationsNotInUseException; Request ID: 129910c4-b89c-4318-b56f-7f753e76d475; Proxy: null)
I got the same error for both the root user and IAM user. How do I fix it?
Note that I don't have any AWS organization. I just signup for a fresh AWS account. Just to make sure, I checked the AWS organization, I don't have any organization exist.
After the cdk redeploy:-
StackSets are only available for AWS Organizations. They allow users to deploy CloudFormation stacks across multiple accounts in an organization. If you try to access StackSets in the AWS Console and you're not a member of an organization, you will get this error, which is expected.
Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
I have updated my cdk from version 1 to version 2, when I tried to do this locally using npm run cdk -- deploy --context awsEnv=dev --all --profile=dev, this works flawlessly.
However when the Circle CI CI/CD pipeline tries to deploy in the same dev environment, it throws an error
User: arn:aws:sts::xxxxxxxx:assumed-role/*******************************************************/jatinmehrotra is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:**************:xxxxx:parameter/cdk-bootstrap/xxxxxxxxx/version because no identity-based policy allows the ssm:GetParameter action
SO basically Circle CI CI/CD pipeline for deployment assumes the roles and create temporary credentials using aws sts assume role command.
Note:- after updating to cdk v2 I can see a new role, which has the same name as the bootstrap ssm parameter. Does that have to do something with error?
As of now, I think the assume role credentials (even though it has sufficient permissions) are not able to access the bootstrap parameter.
After some troubleshooting and carefully reading the error logs, i manually updated the role's permission with full SSM parameters permission whose credentials are being used to deploy the resources.
This resolved the issue.
I am trying to create cross account deployment using codepipeline and terraform. My codecommit repo is account A and codepipeline is in account B. I want to create trigger so that whenever I merge the branch it should trigger codepipeline to start in Account B.
I tried using Event bridge but it only sends notification. I also need source artifacts for codebuild project. So I tried using couple of articles from Medium such as this. But I am getting this error. Currently it doesn't even get to build stage fails before that
The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named artifacts-bucket-dev. Update the IAM role permissions, and then try again. Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: K86ED6QM; S3 Extended Request ID: BsVDy7vYRyL2mavM+XbZNrWxR+y8Do=; Proxy: null)
I tried updating the role and actually gave administrator permission as I just wanted it work.
I am attempting to follow this example of setting up an AWS Pipeline for use across multiple accounts. I have the four different accounts set up. I've followed through on each step of the process successfully. No commands are generating any errors. The pipeline completes successfully. I can then connect to the pipeline and commit my code changes. In short, every single step up to the final one works as written in the documentation.
However, I'm then presented with an error on the initial trigger of the code commit:
Insufficient permissions
The service role or action role doesn’t have the permissions required
to access the AWS CodeCommit repository named dbmigration. Update the
IAM role permissions, and then try again. Error: User:
arn:aws:sts::12345678912:assumed-role/my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321
is not authorized to perform: codecommit:UploadArchive on resource:
arn:aws:codecommit:us-east-2:123456789:dbmigration
The AWS Account I used to create the pipeline is not the root account, but an IAM Administrator login with admin privileges across the account. I've tried adding AWSCodeCommitFullAccess and AWSCodePipelineFullAccess, which I would have thought would have been part of Administration anyway. However, that didn't change anything.
My assumption is I've done something horribly wrong, but I'm not able to identify what that is. Any suggestions for better troubleshooting, let alone suggestions on how to fix it would be most welcome.
The code used to create the pipeline, again, run using the IAM login, Administrator, from a fourth AWS account, is as follows:
aws cloudformation deploy --stack-name my-pipeline `
--template-file db-migration-master.yml `
--parameter-overrides ProjectName=dbmigration `
EmailAddress=grant#scarydba.com `
DevAccountId=98765432123 `
TestAccountId=123456789012 `
ProdAccountID=210987654321 --capabilities CAPABILITY_NAMED_IAM
All the templates are from the linked article and not modified or customized.
Based on the comments.
The error message indicated that the role my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 was missing permission codecommit:UploadArchive which:
Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline
The solution was to add the codecommit:UploadArchive to the role as an inline policy.