Crossacount role for pipeline issue

[amwill04]

Unsure if this is a bug or intended and I am misusing something. Unavble to to set up cross account pipeline role. This seems referenced in #49 but I ham unable to get any of the 'hacks` to work and it seems closed.

given the following roles on accountB with relevant policies

• arn:aws:iam::accountB:role/deployer
• arn:aws:iam::accountB:role/crossaccount

on the pipeline action on acccountA

const deployerRole = Role.fromRoleArn(
    this,
    'DeployerAccount',
    `arn:aws:iam::accountB:role/deployer`
);

const crossAccountRole = Role.fromRoleArn(
    this,
    'CrossAccount',
    `arn:aws:iam::accountB:role/deployer`
);

// Pipeline action
new CloudFormationCreateUpdateStackAction({
    ...,
    deploymentRole: deployerRole,
    role: crossAccountRole
})

will produce the following template which will fail as it is creating a policy and attaching a role that does not exist.

  CrossAccountPolicy76F2CBCC:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: iam:PassRole
            Effect: Allow
            Resource: arn:aws:iam::accountB:role/deployer-policy
          - Action:
              - s3:GetObject*
              - s3:GetBucket*
              - s3:List*
            Effect: Allow
            Resource:
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :s3:::ticker-services-journey-artifacts
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :s3:::ticker-services-journey-artifacts/*
          - Action:
              - cloudformation:CreateStack
              - cloudformation:DescribeStack*
              - cloudformation:GetStackPolicy
              - cloudformation:GetTemplate*
              - cloudformation:SetStackPolicy
              - cloudformation:UpdateStack
              - cloudformation:ValidateTemplate
            Effect: Allow
            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - ":cloudformation:"
                  - Ref: AWS::Region
                  - ":"
                  - Ref: AWS::AccountId
                  - :stack/services-journey-lambda-stack/*
        Version: "2012-10-17"
      PolicyName: CrossAccountPolicy76F2CBCC
      Roles:
        - crossaccount // This line here causes the issue

It is creating a policy with a role that does not exist.

[skinny85]

Thanks for reporting @amwill04 . I believe you're running into this issue: #3025 . It was fixed in PR #3716 . Can you confirm you're using version 1.8.0, which is the first version that PR was included in?

Thanks,
Adam

[amwill04]

Hey

Yeah I am running 1.8.0

Below is from the pacakge-lock.json

    "@aws-cdk/aws-codepipeline": {
      "version": "1.8.0",
      "resolved": "https://registry.npmjs.org/@aws-cdk/aws-codepipeline/-/aws-codepipeline-1.8.0.tgz",
      "integrity": "sha512-qdb3tMZa76tgZDNpy3J+H17dZ84M3eT3X7Otgi1VGm32gLcXFFBgbk5pYN39+Q9MIFapWoxjpebjqj5VBH8Kww==",
      "requires": {
        "@aws-cdk/aws-events": "^1.8.0",
        "@aws-cdk/aws-iam": "^1.8.0",
        "@aws-cdk/aws-kms": "^1.8.0",
        "@aws-cdk/aws-s3": "^1.8.0",
        "@aws-cdk/core": "^1.8.0"
      }
    },

Thanks!

[skinny85]

Ok. In the stack that you're importing these Roles into - did you specify the env property, and gave account: accountA in there?

[amwill04]

Ah! Thats it. I thought it would get the account from the aws credentials with the profile flag. I havent ran it but from synth it now doesnt have that random ref there.

Was I just being slow and missing this in the docs?

Thanks for your help, really appreciated.