-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(cli): CDK Pipeline in account bootstrapped with 1.110.0 (bootstrap version 7): S3 Access Denied #15307
Comments
Ah from a closer look at #15192 it seems like this allows for cross-account deployments but locks down same-account deployments :) |
Just tried deploying to a different account (with both bootstrapped with 1.110.0) and that worked ok :) ie. I updated pipeline.addPipelineStage(new PipelineStage(app, 'Dev', {
env: {
account: '<different_account_id>',
region: 'us-west-2',
},
})); So it does seem to only be when the target account for a pipeline stage is the same as the pipeline account :) |
I encountered the same issue both for new applications and old ones (previously working). |
I am getting, this error |
I've tested it and looks like the problem is in condition:
In the
which is not really true in our case as there are no S3 resource policy statements allowing such access in So in my opinion to fix it we need to
OR
|
The statements need to go on the bucket. Can you share how you are
defining the pipeline?
On June 27, 2021, GitHub Notifications ***@***.***> wrote:
I've tested it and looks like the problem is in condition
<https://github.com/aws/aws-
cdk/commit/d04e28862a872ab90c00306193732c72a90c5e7c#diff-
4fdac38426c4747aa17d515b01af4994d3d2f12c34f7b6655f24328259beb7bfR414>:
Condition: StringNotEquals: s3:ResourceAccount: Ref: 'AWS::AccountId'
- Sid: PipelineCrossAccountArtifactsKey
In the Prepare step of pipeline input artifacts (Artifact_Build_Synth)
need to be downloaded from PipelineArtifactsBucket. Without this
condition in IAM policy, the permissions were granted but with it,
they are not anymore (for the account where the pipeline is deployed
of course).
@rix0rrr <https://github.com/rix0rrr>
wrote in his PR <#15192 (comment)-
673444557>
> In-account bucket accesses are not directly permitted by the
> principal
> roles; however, in-account accesses are enabled by resource policy
> statements on the buckets themselves (which are sufficient to
> extend
> the required permissions to the principal).
>
which is not really true in our case as there are no S3 resource
policy statements allowing such access in PipelineArtifactsBucket.
So in my opinion to fix it we need to
* remove the above condition (but then the issue which caused the
condition introduction will be still unsolved as
DeploymentActionRole will still have access to all buckets in the
target accounts)
OR
* add proper statements to the bucket policy of
PipelineArtifactsBucket deployed in the same account as the
pipeline.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#15307 (comment)>, or
unsubscribe <https://github.com/notifications/unsubscribe-
auth/AAD77AUARDJPZCDPL6ULRILTU4IN5ANCNFSM47JLMYUQ>.
|
https://github.com/czubocha/aws-cdk-pipelines-go-serverless/blob/master/cdk/pipeline.go |
Oh interesting. I have to say I'm confused. I have basically the same setup as that and in my case the permissions ARE added to the bucket. Can you share the template of the case where they aren't being added? |
Ah does it work for you with the repro steps I provided? |
I assume that the bucket policy should be created in the pipeline template. If so, I don't see it as well. To reproduce: git clone -b future https://github.com/alexpulver/aws-cdk-sam-chalice
cd aws-cdk-sam-chalice
python3.7 -m venv .venv
source .venv/bin/activate
./scripts/install-deps.sh
export AWS_ACCESS_KEY_ID="***"
export AWS_SECRET_ACCESS_KEY="***"
export AWS_SESSION_TOKEN="***"
cdk --version # Currently set to 1.107.0
cdk synth
grep AWS::S3::BucketPolicy cdk.out/AwsCdkSamChalice-Pipeline.template.json
vi package.json # Update to 1.110.0
./scripts/install-deps.sh
cdk --version
cdk synth
grep AWS::S3::BucketPolicy cdk.out/AwsCdkSamChalice-Pipeline.template.json |
iiiiiiiiiiiiiiinteresting.
https://github.com/rix0rrr/test-cicd/blob/master/lib/pipeline-stack.ts |
AHA! It breaks if you DO give an |
Faced this issue today. Is the recommended fix to remove the account from the stage itself? |
For now, yes. We will fix it shortly. |
…ployments A recent change to the default `deploy-role` policies required that the required permissions statements are added to the artifacts bucket instead. This happened to be working for stacks which had NO `account` env property set, but not for stacks that DID have an `account` property set which was the same as the pipeline's account property. Fixes #15307.
…ployments (#15348) A recent change to the default `deploy-role` policies required that the required permissions statements are added to the artifacts bucket instead. This happened to be working for stacks which had NO `account` env property set, but not for stacks that DID have an `account` property set which was the same as the pipeline's account property. Ultimately this was caused by an account comparison deep in the bowels of the Grants system, which happened to work out because in cases of mismatched accounts it would think there was a cross-account access and it was trying to add permissions to both principal and resource. But in this case, it's much more accurate to say that we can NEVER add permissions to the `deploy-role`, and instead always want the permissions added to the bucket (rather than dropping them). Fixes #15307. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hi all, @rix0rrr I tried today to deploy a pipeline using the newly released version 1.111.0 and I can see see the same S3 Access Denied error. I already tried to clean up/bootstrap again and no success. |
Reopening because multiple customers are still experiencing this issue in the latest version #15406 |
There are multiple causes for "S3 Access Denied". I saw someone mention in the other thread they deleted and recreated their bootstrap stack. Doing that will permanently break Pipelines. See the pipelines README on how to unbreak yourself in that situation |
That was my case, I followed the instructions in the README and it started to work. Sorry for the false alarm, and thanks! |
My case was that I upgraded CDK CLI but I didn't upgraded CDK version in go.mod (I'm using Go bindings). Thanks for the fix, issue can be closed. |
My case was resolved by this after upgrading the Python CDK dependencies |
|
…ployments (aws#15348) A recent change to the default `deploy-role` policies required that the required permissions statements are added to the artifacts bucket instead. This happened to be working for stacks which had NO `account` env property set, but not for stacks that DID have an `account` property set which was the same as the pipeline's account property. Ultimately this was caused by an account comparison deep in the bowels of the Grants system, which happened to work out because in cases of mismatched accounts it would think there was a cross-account access and it was trying to add permissions to both principal and resource. But in this case, it's much more accurate to say that we can NEVER add permissions to the `deploy-role`, and instead always want the permissions added to the bucket (rather than dropping them). Fixes aws#15307. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
CDKPipeline fails with S3 Access Denied error when account has been bootstrapped with
aws-cdk@1.110.0
(bootstrap version 7).If I downgrade my CDK CLI to 1.108.0, bootstrap again (bootstrap version 6) and push a change through the pipeline it completes successfully.
Reproduction Steps
Minimal cdk pipeline repo here: https://github.com/cogwirrel/minimal-cdk-pipeline-ts
npm i -g aws-cdk@1.110.0
cdk bootstrap
cdk deploy
git remote add cc codecommit://MyRepo
(requires git-remote-codecommit)git push cc mainline
Observe error in the pipeline:
What did you expect to happen?
Empty CDK Pipeline to deploy successfully
What actually happened?
"Prepare" step for the pipeline stage failed with an S3 Access Denied error.
Environment
Other
Possibly related to #15192 ?
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: