Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodePipeline: CloudFormation ExecuteChangeSet Action doesn't have correct permissions #3160

Closed
1 of 5 tasks
joshrp opened this issue Jul 2, 2019 · 2 comments · Fixed by #3178 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.

Comments

@joshrp
Copy link
Contributor

joshrp commented Jul 2, 2019

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.
  • What is the current behavior?

pipeline.addStage({
  stageName: "DeployStack",
  actions: [
    new pipeActions.CloudFormationExecuteChangeSetAction({
      actionName: "Deploy",
      stackName: "myStack-" + stage,
      changeSetName: stage + '-deployment',
      output: deployArtifact
    })
  ]
});

The default role for a CloudFormationExecuteChangeSetAction will only be created with cloudformation:ExecuteChangeSet permission. This errors when ran in CodePipeline with a permissions error for the cloudformation:DescribeStacks permission.

See: https://github.com/awslabs/aws-cdk/blob/master/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts#L121

  • What is the expected behavior (or behavior of feature suggested)?
    The ExecuteChangeSet Action Default Role needs cloudformation:DescribeStacks and cloudformation:DescribeChangeSet on the {stack}/* resource to be able to deploy.

  • Please tell us about your environment:

    • CDK CLI Version: 0.36.1
    • Module Version: 0.36.1
    • OS: all
    • Language: all
  • Other information
    This could be related to the recent change in: feat(codepipeline): generate a Role for every AWS-owned Action used in a Pipeline #3105 since the permission may have been available on the general role.

@joshrp joshrp added the needs-triage This issue or PR still needs to be triaged. label Jul 2, 2019
@skinny85
Copy link
Contributor

skinny85 commented Jul 2, 2019

Thanks for reporting this @joshrp . Let me try to reproduce on my end.

@skinny85
Copy link
Contributor

skinny85 commented Jul 2, 2019

Confirmed I was able to reproduce this. Working on a fix.

skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
skinny85 added a commit that referenced this issue Jul 2, 2019
@skinny85 skinny85 added bug This issue is a bug. @aws-cdk/aws-codepipeline Related to AWS CodePipeline and removed needs-triage This issue or PR still needs to be triaged. labels Jul 3, 2019
Kaixiang-AWS pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment