Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generated permissions insufficient to deploy to Lambda #5183

Closed
lennartcl opened this issue Nov 25, 2019 · 11 comments · Fixed by #5190
Closed

Generated permissions insufficient to deploy to Lambda #5183

lennartcl opened this issue Nov 25, 2019 · 11 comments · Fixed by #5190
Assignees
@skinny85
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.

Comments

@lennartcl
Copy link

When I try to deploy to Lambda from a pipeline with a CloudFormationCreateUpdateStackAction action, the deployment fails due to insufficient permissions.

Reproduction Steps

  1. Follow https://docs.aws.amazon.com/cdk/latest/guide/codepipeline_example.html
  2. Pipeline will fail
  • Error shown is "UPDATE_FAILED Your access has been denied by S3, please make sure your request credentials have permission to GetObject for [...]. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; [...])"
  • Further inspection reveals that the KMS key used with the source code bucket doesn't whitelist the execution role for the Lambda function.

Workaround

Using the following class instead of CloudFormationCreateUpdateStackAction will grant the required permissions:

class FixedStackAction extends codepipeline_actions.CloudFormationCreateUpdateStackAction {
  bound(scope: any, stage: any, options: any): any {
    const result = super.bound(scope, stage, options);
    options.bucket.grantRead((this as any)._deploymentRole);
    return result;
  }
}

Suggested fix

Review adding grantRead() to CloudFormationCreateUpdateStackAction as appropriate.
@lennartcl lennartcl added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2019
@skinny85 skinny85 self-assigned this Nov 25, 2019
@skinny85
Copy link
Contributor

Hey @lennartcl ,

thanks for opening the issue. What version of the CDK you got this problem with?

Thanks,
Adam

@lennartcl
Copy link
Author

@skinny85 I've seen this with versions 16.1 through 17.1. Haven't tried with older versions.

@skinny85
Copy link
Contributor

Can you show the CloudFormationCreateUpdateStackAction code that is causing this error during deployment?

@lennartcl
Copy link
Author

The issue seems to be that grantRead() is only called in cross-account scenarios in pipeline-actions.ts#L282-L286. By doing that even when (roleStack.account === pipelineStack.account), we can make sure that the KMS key gets the execution role in its policy.

@SomayaB SomayaB added @aws-cdk/aws-codepipeline Related to AWS CodePipeline response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2019
@skinny85
Copy link
Contributor

You're correct, I've managed to reproduce the problem. I'll be working on a fix.

@skinny85 skinny85 removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 25, 2019
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Nov 26, 2019
@skinny85
fix(codepipeline): CloudFormation deployment role always gets pipelin…
66e6bb6 
…e bucket and key permissions

Previously, we only explicitly granted the CloudFormation CodePipeline action deployment role access to the pipeline bucket
(and, by extension, its KMS key)
when the action was deploying into a different account.
However, that meant in the single account case,
if the pipeline had a key defined,
the role would never be added to the key's policy,
and any deployment requiring access to the artifacts bucket
(like a Lambda function) would fail.
This fixes the bug by always granting the deployment role permissions to the pipeline bucket (and thus the key as well).

Fixes aws#5183
@skinny85 skinny85 mentioned this issue Nov 26, 2019
Merged
@mergify mergify bot closed this as completed in #5190 Nov 26, 2019
mergify bot pushed a commit that referenced this issue Nov 26, 2019
@skinny85 @mergify
fix(codepipeline): CloudFormation deployment role always gets pipelin…
d5c0f3e 
…e bucket and key permissions (#5190)

Previously, we only explicitly granted the CloudFormation CodePipeline action deployment role access to the pipeline bucket
(and, by extension, its KMS key)
when the action was deploying into a different account.
However, that meant in the single account case,
if the pipeline had a key defined,
the role would never be added to the key's policy,
and any deployment requiring access to the artifacts bucket
(like a Lambda function) would fail.
This fixes the bug by always granting the deployment role permissions to the pipeline bucket (and thus the key as well).

Fixes #5183
@greenpau
Copy link

I am running into this issue too. I have a pipeline that manages objects via CloudFormation across multiple accounts in AWS Organizations.

When a CloudFormation in subordinate account tries accessing S3 bucket with artifacts, I see the following CloudWatch Log entry.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AWSAccount",
        "principalId": "ARAAZZ5BACO6CCB5XLZAS:1577238726275",
        "accountId": "SUBORDINATE_ACCOUNT_ID",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2019-12-25T01:52:06Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "GetObject",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "10.246.100.101",
    "userAgent": "[CloudFormation CodePipeline Action, aws-internal/3 aws-sdk-java/1.11.534 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation]",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "recipientAccountId": "CODEPIPELINE_ACCOUNT_ID"
}

I had to grant the following S3 bucket permission for cross-account access. I don't like to do it, but that is a solution. Is there another way to permit it? 🤔 I don't like using "Principal": "*" in the statement.

        {
            "Sid": "Allow Access By Anyone in AWS Organization",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::MYBUCKETNAME/*",
                "arn:aws:s3:::MYBUCKETNAME/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-MYORGID"
                }
            }
        }

@solshark
Copy link

I'm trying to deploy stack within same account with adminPermissions: true and also facing same issue.

Version 1.19.0 (build 5597bbe)

@moofish32 moofish32 mentioned this issue Dec 29, 2019
Merged
@skinny85
Copy link
Contributor

Yep, this fix will be part of version 1.20.0, which should be released this week.

@solshark
Copy link

Looking very much forward.

@solshark
Copy link

solshark commented Jan 7, 2020

Any news here?

@skinny85
Copy link
Contributor

skinny85 commented Jan 7, 2020

We have a release happening as we speak, please be patient a little while longer!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.
Projects
None yet
Milestone
No milestone
5 participants
@solshark @skinny85 @lennartcl @greenpau @SomayaB