Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodePipeline: CloudFormation ExecuteChangeSet Action doesn't have correct permissions #3160

Closed
1 of 5 tasks
joshrp opened this issue Jul 2, 2019 · 2 comments · Fixed by #3178 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Closed
1 of 5 tasks

CodePipeline: CloudFormation ExecuteChangeSet Action doesn't have correct permissions #3160

joshrp opened this issue Jul 2, 2019 · 2 comments · Fixed by #3178 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.

Comments

@joshrp
Copy link
Contributor

joshrp commented Jul 2, 2019
edited
Loading

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?

pipeline.addStage({
  stageName: "DeployStack",
  actions: [
    new pipeActions.CloudFormationExecuteChangeSetAction({
      actionName: "Deploy",
      stackName: "myStack-" + stage,
      changeSetName: stage + '-deployment',
      output: deployArtifact
    })
  ]
});

The default role for a CloudFormationExecuteChangeSetAction will only be created with cloudformation:ExecuteChangeSet permission. This errors when ran in CodePipeline with a permissions error for the cloudformation:DescribeStacks permission.

See: https://github.com/awslabs/aws-cdk/blob/master/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts#L121

  • What is the expected behavior (or behavior of feature suggested)?
    The ExecuteChangeSet Action Default Role needs cloudformation:DescribeStacks and cloudformation:DescribeChangeSet on the {stack}/* resource to be able to deploy.

  • Please tell us about your environment:

    • CDK CLI Version: 0.36.1
    • Module Version: 0.36.1
    • OS: all
    • Language: all

  • Other information
    This could be related to the recent change in: feat(codepipeline): generate a Role for every AWS-owned Action used in a Pipeline #3105 since the permission may have been available on the general role.
@joshrp joshrp added the needs-triage This issue or PR still needs to be triaged. label Jul 2, 2019
@skinny85
Copy link
Contributor

skinny85 commented Jul 2, 2019

Thanks for reporting this @joshrp . Let me try to reproduce on my end.

@skinny85
Copy link
Contributor

skinny85 commented Jul 2, 2019

Confirmed I was able to reproduce this. Working on a fix.

skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
@skinny85
fix(codepipeline): grant missing permisisons to the CloudFormationExe…
f989919 
…cuteChangeSetAction.

Fixes aws#3160
@skinny85 skinny85 mentioned this issue Jul 2, 2019
Merged
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
@skinny85
fix(codepipeline): grant missing permisisons to the CloudFormationExe…
234cb81 
…cuteChangeSetAction.

Fixes aws#3160
skinny85 added a commit that referenced this issue Jul 2, 2019
@skinny85
fix(codepipeline): grant missing permisisons to the CloudFormationExe…
958acc2 
…cuteChangeSetAction. (#3178)

Fixes #3160
@skinny85 skinny85 added bug This issue is a bug. @aws-cdk/aws-codepipeline Related to AWS CodePipeline and removed needs-triage This issue or PR still needs to be triaged. labels Jul 3, 2019
Kaixiang-AWS pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 3, 2019
@skinny85 @Kaixiang-AWS
fix(codepipeline): grant missing permisisons to the CloudFormationExe…
488dc3d 
…cuteChangeSetAction. (aws#3178)

Fixes aws#3160
This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
This was referenced Dec 12, 2019
Closed
Closed
Closed
Merged
Closed
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 20, 2020
Closed
Closed
This was referenced Sep 24, 2024
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codepipeline): grant missing permisisons to the CloudFormationExe… skinny85/aws-cdk
[Snyk] Upgrade @aws-cdk/aws-iam from 0.22.0 to 0.39.0 MechanicalRock/tech-radar
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-s3 from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-cloudfront from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codecommit from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-cloudformation from 0.0.0 to 0.39.0 NOUIY/aws-solutions-constructs
2 participants
@skinny85 @joshrp