Aws-cdk: CodeCommitSourceAction cannot decrypt S3

Created on 2 Jul 2019  ·  1Comment  ·  Source: aws/aws-cdk

  • I'm submitting a ...

    • [x] :beetle: bug report
    • [ ] :rocket: feature request
    • [ ] :books: construct library gap
    • [ ] :phone: security issue or vulnerability => Please see policy
    • [ ] :question: support request => Please see note at the top of this template.

  • What is the current behavior?

With this example:

    const repository = new codecommit.Repository(
      this,
      "Repository",
    );

    const pipeline = new codepipeline.Pipeline(
      this,
      "Pipeline",
    );

    const sourceOutput = new codepipeline.Artifact();

    pipeline.addStage({
      stageName: "Source",
      actions: [
        new codepipelineActions.CodeCommitSourceAction({
          actionName: "CodeCommit",
          output: sourceOutput,
          repository,
        }),
      ],
    });

Default S3 for sourceOutput (codepipeline.Artifact) is encrypted. While executing the pipeline fails:

The process to upload the contents of the AWS CodeCommit repository failed

Reviewing CloudTrail:

{
    "eventVersion": "1.05",
    "userIdentity": {
        ...
        "invokedBy": "codepipeline.amazonaws.com"
    },
    "eventTime": "2019-07-02T11:11:19Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "codepipeline.amazonaws.com",
    "userAgent": "codepipeline.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::XXX:assumed-role/Stack-PipelineSourceCodeCommitCodePipelineAct-QTAD32GUAUO5/1562065878283 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-central-1:XXX:key/XXX",
    "requestParameters": null,
    "responseElements": null,
    "eventType": "AwsApiCall",
}
  • What is the expected behavior (or behavior of feature suggested)?

It should just work 😇

I've just modified source-action.ts granting read:

diff --git i/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts w/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
index 9cc1793a..d7760497 100644
--- i/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
+++ w/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
@@ -92,6 +92,7 @@ export class CodeCommitSourceAction extends Action {
     // the Action will write the contents of the Git repository to the Bucket,
     // so its Role needs write permissions to the Pipeline Bucket
     options.bucket.grantWrite(options.role);
+    options.bucket.grantRead(options.role);

     // https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp
     options.role.addToPolicy(new iam.PolicyStatement({

and it works correctly.

@aws-cdaws-codepipeline bug
Source
picture chernando

Most helpful comment

Hey @chernando ,

thanks for opening this issue! I confirm I was able to reproduce the issue on my side. Fix incoming.

Thanks,
Adam

picture skinny85 on 2 Jul 2019
2

>All comments

Hey @chernando ,

thanks for opening this issue! I confirm I was able to reproduce the issue on my side. Fix incoming.

Thanks,
Adam

skinny85 picture skinny85 on 2 Jul 2019
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

EduardTheThird picture EduardTheThird  ·  3Comments
schof picture schof  ·  3Comments
peterdeme picture peterdeme  ·  3Comments
nzspambot picture nzspambot  ·  3Comments
eladb picture eladb  ·  3Comments