Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codepipeline): CloudFormation deployment role always gets pipeline bucket and key permissions #5190

Merged
merged 1 commit into from
Nov 26, 2019
Merged

fix(codepipeline): CloudFormation deployment role always gets pipeline bucket and key permissions #5190

merged 1 commit into from
Nov 26, 2019

Conversation

skinny85
Copy link
Contributor

Previously, we only explicitly granted the CloudFormation CodePipeline action deployment role access to the pipeline bucket
(and, by extension, its KMS key)
when the action was deploying into a different account.
However, that meant in the single account case,
if the pipeline had a key defined,
the role would never be added to the key's policy,
and any deployment requiring access to the artifacts bucket
(like a Lambda function) would fail.
This fixes the bug by always granting the deployment role permissions to the pipeline bucket (and thus the key as well).

Fixes #5183

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@skinny85
fix(codepipeline): CloudFormation deployment role always gets pipelin…
66e6bb6 
…e bucket and key permissions

Previously, we only explicitly granted the CloudFormation CodePipeline action deployment role access to the pipeline bucket
(and, by extension, its KMS key)
when the action was deploying into a different account.
However, that meant in the single account case,
if the pipeline had a key defined,
the role would never be added to the key's policy,
and any deployment requiring access to the artifacts bucket
(like a Lambda function) would fail.
This fixes the bug by always granting the deployment role permissions to the pipeline bucket (and thus the key as well).

Fixes aws#5183
@skinny85 skinny85 requested a review from shivlaks November 26, 2019 02:49
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 26, 2019
@mergify
Copy link
Contributor

mergify bot commented Nov 26, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

@skinny85 skinny85 self-assigned this Nov 26, 2019
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Nov 26, 2019

Thank you for contributing! Your pull request is now being automatically merged.

@mergify mergify bot merged commit d5c0f3e into aws:master Nov 26, 2019
@skinny85 skinny85 deleted the fix/codepipeline-lambda-permissions branch November 26, 2019 03:20
@lukehedger
Copy link
Contributor

Hey @skinny85 - I just ran into this bug and found the issue/PR here. When do you think this fix will land in a release? I am wondering whether to put in a workaround or wait for the next version to include this. Thanks

@skinny85
Copy link
Contributor Author

@lukehedger it will be part of CDK version 1.19.0, which will be released 2 weeks from now (we're not having a release next week because of re:Invent). Hope this helps you make a decision!

@skinny85 skinny85 mentioned this pull request Nov 27, 2019
Closed
@lukehedger
Copy link
Contributor

Thanks @skinny85, that's good to know. I've used the workaround described here #5183 (comment) for now and will watch out for the release.

@moofish32 moofish32 mentioned this pull request Dec 29, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shivlaks shivlaks shivlaks approved these changes

Assignees

@skinny85 skinny85

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generated permissions insufficient to deploy to Lambda
4 participants
@skinny85 @aws-cdk-automation @lukehedger @shivlaks