Aws-cdk: [aws-codepipeline-actions] Cannot assume role by code pipeline on code pipeline action AWS CDK

Created on 31 Aug 2020  ·  10Comments  ·  Source: aws/aws-cdk

:question: General Issue

I have been playing with AWS CDK and was working on building a code pipeline stack on my AWS educate account. The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a role for the code pipeline action whose Principle is ARN of the root account. So it doesn't have the permission to perform assume role on the root account.

Action code:

 {
  stageName: "Build",
    actions: [
      new codepipelineActions.CodeBuildAction(
        {
          actionName: "Build",
          input: sourceOutput,
          project: builder
        }
      )
    ]
}

Cloudformation Template Output:

"devPipelineBuildCodePipelineActionRole8696D056": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
+                "AWS": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:",
+                      {
+                        "Ref": "AWS::Partition"
+                      },
+                      ":iam::",
+                      {
+                        "Ref": "AWS::AccountId"
+                      },
+                      ":root"
+                    ]
+                  ]
+                }
+              }
+            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
      }
    }
...
{
  "Actions": [
    {
      "ActionTypeId": {
        "Category": "Build",
        "Owner": "AWS",
        "Provider": "CodeBuild",
        "Version": "1"
      },
      "Configuration": {
        "ProjectName": {
          "Ref": "BuildAndTestB9A2F419"
        }
      },
      "InputArtifacts": [
        {
          "Name": "SourceOutput"
        }
      ],
      "Name": "Build",
+      "RoleArn": {
+        "Fn::GetAtt": [
+          "devPipelineBuildCodePipelineActionRole8696D056",
+          "Arn"
+        ]
+      },
      "RunOrder": 1
    }
  ],
    "Name": "Build"
}

This will throw the error:

arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)

If I remove the RoleArn from the Action and execute the template it works. 

  "Actions": [
    {
      "ActionTypeId": {
        "Category": "Build",
        "Owner": "AWS",
        "Provider": "CodeBuild",
        "Version": "1"
      },
      "Configuration": {
        "ProjectName": {
          "Ref": "BuildAndTestB9A2F419"
        }
      },
      "InputArtifacts": [
        {
          "Name": "SourceOutput"
        }
      ],
      "Name": "Build",
-      "RoleArn": {
-        "Fn::GetAtt": [
-          "devPipelineBuildCodePipelineActionRole8696D056",
-          "Arn"
-        ]
-      },
      "RunOrder": 1
    }
  ],
    "Name": "Build"
}

The Question


My question is, How do I prevent CDK to prevent adding default role with Principle using the root account or a workaround to it?

Environment

  • CDK CLI Version: v1.61.1
  • Module Version: v1.61.1
  • Node.js Version: v12.14.0
  • OS: OSX Catalina
  • Language (Version): TypeScript (3.8.3)

Other information

@aws-cdaws-codepipeline-actions guidance
Source
picture subeshb1

All 10 comments

Had the same problem few months ago on one project (haven't solved) and experienced this problem also yesterday on a different project. Any news on this one?

zgre picture zgre on 1 Sep 2020
👍1

@zgre Currently what I do is remove the role ARN from actions and add the policy statement to the code pipeline role and remove the assume role statement for code pipeline from the generated cloud formation. Although it is manual work it does the work for now.

subeshb1 picture subeshb1 on 2 Sep 2020

Hello @subeshb1 and @zgre,

thanks for opening the issue. I suspect the problems that you're seeing are because of IAM propagation delay. What happens is that CodePipeline validates that the pipeline Role can assume each Action Role. Sometimes, if the Roles and permissions and the pipeline are all created in the same deployment, the IAM permissions have not yet propagated, and the assume role test fails.

The arn:aws:iam::<account>:root permissions mean any IAM principal can assume that role (not just the root user).

If you don't want to use an autogenerated role for the action, you can always pass a role explicitly when creating the action - it could be the pipeline role, for example.

Hope this clears this up!

Thanks,
Adam

skinny85 picture skinny85 on 4 Sep 2020

Hi @skinny85,
Thanks for the response. I did try by, passing an existing role, with the trusted entity codepipeline.amazonaws.com. It however still returned the same error. The only solution I can across is by removing the role of ARN in code pipeline actions.

I am currently using the AWS Educate account. Maybe that is why I might not be allowed to assume role in certain cases.

subeshb1 picture subeshb1 on 4 Sep 2020

Hi,

I have created s3, code build, manual approval action roles and code
pipeline roles in cdk and still had to:

  1. Remove RoleArn entries in actions section in synthesized CF code
  2. Add assume role statements for action roles to code pipeline role

In my case, it might do something since I am using a corporate account with
federated login and I think that might do something with setup of the
account and arn:aws:iam:::root does not work in this case.

Best regards,
Grega

On Fri, Sep 4, 2020 at 6:09 AM Subesh notifications@github.com wrote:

Hi @skinny85 https://github.com/skinny85,
Thanks for the response. I did try by, passing an existing role, with the
trusted entity codepipeline.amazonaws.com. It however still returned the
same error. The only solution I can across is by removing the role of ARN
in code pipeline actions.

I am currently using the AWS Educate account. Maybe that is why I might
not be allowed to assume role in certain cases.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-cdk/issues/10068#issuecomment-686891766, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/ALEB2AHSCBVFBYKI6G4IF3LSEBR7NANCNFSM4QQBDXKA
.

zgre picture zgre on 4 Sep 2020
👍1

It looks like actions are not allowed to assume any role in AWS Educate currently. So to have a workaround and remove the manual overhead, I used CDK L1 Constructs to modify the generated cloud formation.

So let's say I have a pipeline as:

// Custom role to pass in to pipeline
    const pipeLineRole = new iam.Role(this, "CodePipeLineRole", {
      assumedBy: new iam.ServicePrincipal("codepipeline.amazonaws.com"),
    });

    pipeLineRole.addToPolicy( 
      // Required policy for each aciton to run
    )
    const pipeline = new codepipeline.Pipeline(this, "Pipeline", {
      role: pipeLineRole,
      stages: [
        //  ...
        {
          actions: [action1, action2],
        },
        //  ...
      ],
    });

    // Altering cloudformation to remove role arn from actions
    const pipelineCfn = pipeline.node.defaultChild as cdk.CfnResource;
    // addDeletionOverride  removes the property from the cloudformation itself
    pipelineCfn.addDeletionOverride("Properties.Stages.1.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.2.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.3.Actions.0.RoleArn");

This is a workaround, it works, but there are still unwanted and dangling policies and roles created that have not been assigned to any service which had been created for individual actions.

subeshb1 picture subeshb1 on 7 Sep 2020
👍1

@subeshb1 Do you know how to delete also the unwanted and dangling roles and policies?

zgre picture zgre on 25 Sep 2020
👍1

Hey @subeshb1,

It looks like you found a good workaround, thank you for sharing. Unfortunately, I think since this is an issue with limited resource utilization in AWS Educate, we are limited in what actions we can take to mitigate this issue.

Is there anything else we can answer for this particular question?

@zgre Since you are not using an AWS Educate account, I think your problem is almost certainly different. If you are still struggling with this, could you provide a little more info? It may be a bug, in which case, it would be best to create a new issue to track it separately.

😸 😷

NGL321 picture NGL321 on 2 Oct 2020

Thanks, @NGL321 The workaround covers my question. We can close this issue!

subeshb1 picture subeshb1 on 3 Oct 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] picture github-actions[bot] on 14 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

peterdeme picture peterdeme  ·  3Comments
pepastach picture pepastach  ·  3Comments
NukaCody picture NukaCody  ·  3Comments
vgribok picture vgribok  ·  3Comments
ababra picture ababra  ·  3Comments