Using imported code build project for CodeBuildAction results in "resource imported without a role"

[Stompf]

I'm trying to use an imported code build project in a CodeBuildAction imported from @aws-cdk/aws-codepipeline-actions but it results in an error: "Cannot get policy fragment of Stack/CodeBuild, resource imported without a role". My use case is that I want to use a code build in a different AWS account in my code pipeline with a cross account role.

Reproduction Steps

I have a cross account role like this:

const deployRole = iam.Role.fromRoleArn(
        stack,
        `DeployRole`,
        `arn:aws:iam::${accountId}:role/DeployRole`,
        {
            mutable: false,
        },
    );

this role is used for my CodeBuildAction in my pipeline:

const codeBuildProject = codebuild.PipelineProject.fromProjectName(
        stack,
        `CodeBuild`,
        'codeBuildProjectNameInAnotherAccount',
);

const buildAction = new codepipeline_actions.CodeBuildAction({
        actionName: 'CodeBuild',
        project: codeBuildProject,
        input: artifact,
        role: deployRole,
});

pipeline.addStage({
        stageName: `Build`,
        actions: [buildAction],
    });

Now when running cdk synth i get the error.

Error Log

> cdk synth > template.yml

/node_modules/@aws-cdk/aws-iam/lib/unknown-principal.js:22
        throw new Error(`Cannot get policy fragment of ${this.resource.node.path}, resource imported without a role`);
        ^

Error: Cannot get policy fragment of Stack/CodeBuild, resource imported without a role
    at UnknownPrincipal.get policyFragment [as policyFragment] (/node_modules/@aws-cdk/aws-iam/lib/unknown-principal.js:22:15)
    at PolicyStatement.addPrincipals (/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:64:40)
    at new PolicyStatement (/node_modules/@aws-cdk/aws-iam/lib/policy-statement.js:27:14)
    at Function.addToPrincipalAndResource (/node_modules/@aws-cdk/aws-iam/lib/grant.js:68:27)
    at Import.grant (/node_modules/@aws-cdk/aws-kms/lib/key.js:63:26)
    at Import.grant (/node_modules/@aws-cdk/aws-s3/lib/bucket.js:247:32)
    at Import.grantRead (/node_modules/@aws-cdk/aws-s3/lib/bucket.js:140:21)
    at CodeBuildAction.bound (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.js:59:28)
    at CodeBuildAction.bind (/node_modules/@aws-cdk/aws-codepipeline-actions/lib/action.js:23:21)
    at Pipeline._attachActionToPipeline (/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.js:199:41)
Subprocess exited with error 1

Environment

• CLI Version : 1.13.1
• Framework Version: 1.13.1
• OS : Ubuntu 18.04 LTS
• Language : TypeScript

Other

It looks like the problem is it tries to attach bucket policies to the UnknownPrincipal. If I uncomment options.bucket.grantRead(this.props.project); in /node_modules/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.js the cloud formation is generated with no problems and after deploying it the pipeline works. Is there a way to get around this issue without chaining the source files?

---

This is 🐛 Bug Report

[skinny85]

Hey @Stompf ,

thanks for opening the issue. I was able to reproduce it locally, unfortunately the problem (in my opinion) is in the guts of the IAM library, and how it deals with unknown principals. It won't be an easy fix, I'm afraid :(.

I'm not even sure how to unblock you here... can you find out what Role does the CodeBuild project you're importing use? If we had a method like Project.fromProjectAttributes(), we could allow you to pass that (imported) Role when importing the Project, and that should solve it...

Sorry I don't have better news here :(.

Thanks,
Adam

[skinny85]

Actually, scratch that. I think I might have an idea for an easy fix. Stay tuned.