[pipelines] add custom PolicyStatement to the ShellScriptAction #9600
Comments
am29d
added
feature-request
am29d
changed the title
rix0rrr
added
effort/small
|
@am29d I have a question, is it possible to use the myAction.project.addToRolePolicy(myPolicyStatement);Even if this was a solution though, I could still see the value in adding an extra method for adding the role since it makes the mental model a bit simpler. (I'm also a bit new to CodePipelines so forgive me if I'm misunderstanding the issue 😅) |
|
Hi @Chriscbr, you are absolutely correct! The project object can be accessed via the action, but I would have never found it. As you said, from the mental model I would expect to use the method from the action. Important catch, make sure to add the action to the project first, and then add the policy, otherwise you will end up with an error that the stage does not have any actions: const buildStage = pipeline.addStage('BuildStage');
const shellScriptAction = new ShellScriptAction({
actionName: "shellScriptAction",
commands: [
"echo foo"
],
additionalArtifacts: [sourceArtifact],
runOrder: buildStage.nextSequentialRunOrder()
});
buildStage.addActions(shellScriptAction);
shellScriptAction.project.addToRolePolicy(new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"s3:PutObject"
],
resources: ["*"]
}));I have also tested it with multiple actions and Thanks a lot for the hint, @Chriscbr ! |
Allow more control over the IAM permissions for the execution role of a `ShellScriptAction`. Statements can be added at construction time, the object can also be used as a Grantable. Fixes #9600.
Allow more control over the IAM permissions for the execution role of a `ShellScriptAction`. Statements can be added at construction time, the object can also be used as a Grantable. Fixes #9600. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Did you find that out in the meantime? I'm having the same issue |
|
@michaelfecher no circled back to it a couple of times when I've had a spare 15 mins but haven't cracked it yet. |
|
Got it working by creating a role in the testing account and assuming it in my tests from the build account.
|
|
@michaelfecher I have just stumbled upon this nice workshop that guides you through a cross account deployment with CDK, take a look: https://github.com/aws-samples/aws-cross-account-cicd-pipeline |
|
@brianfoody This is actually the solution to many cross-account pipeline actions (e.g. this one). In my case deploying a webapp to S3 and creating a cloudformation invalidation. IMHO this "pattern" should be referenced in the pipelines docs, so thanks for that! |
Hi,
I have used the new pipeline constructs recently and added a custom stage with a
ShellScriptActionand customsamcli commands such assam packageandsam publish. The issue I have encountered is that it is not easy to add customPolicyStatementto the role, that is associated with the stage. Given the nature of aShellScriptActionto be generic step in a pipeline running bash commands, it would be great to pass a specific IAMPolicyStatementto a corresponding action role.I have found a way to do that, but this is not an easy task, this is how it resolved now:
As you can see this is not an easy way to fetch the stage and the
PipelineProjectconstruct that is nested within the tree. Furthermore, I have to loop through the children, because in some cases there is aRoleand aPipelineProjectconstruct.Proposed Solution
it would be great to add a policy statement directly to an action i.e.:
Other
Pinging @webdog as per request.
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: