Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeCommitSourceAction cannot decrypt S3 #3170

Closed
1 of 5 tasks
chernando opened this issue Jul 2, 2019 · 1 comment Β· Fixed by #3175 or MechanicalRock/tech-radar#14 Β· May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug.

Comments

@chernando
Copy link

  • I'm submitting a ...

    • πŸͺ² bug report
    • πŸš€ feature request
    • πŸ“š construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.
  • What is the current behavior?

With this example:

    const repository = new codecommit.Repository(
      this,
      "Repository",
    );

    const pipeline = new codepipeline.Pipeline(
      this,
      "Pipeline",
    );

    const sourceOutput = new codepipeline.Artifact();

    pipeline.addStage({
      stageName: "Source",
      actions: [
        new codepipelineActions.CodeCommitSourceAction({
          actionName: "CodeCommit",
          output: sourceOutput,
          repository,
        }),
      ],
    });

Default S3 for sourceOutput (codepipeline.Artifact) is encrypted. While executing the pipeline fails:

The process to upload the contents of the AWS CodeCommit repository failed 

Reviewing CloudTrail:

{
    "eventVersion": "1.05",
    "userIdentity": {
        ...
        "invokedBy": "codepipeline.amazonaws.com"
    },
    "eventTime": "2019-07-02T11:11:19Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "codepipeline.amazonaws.com",
    "userAgent": "codepipeline.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::XXX:assumed-role/Stack-PipelineSourceCodeCommitCodePipelineAct-QTAD32GUAUO5/1562065878283 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:eu-central-1:XXX:key/XXX",
    "requestParameters": null,
    "responseElements": null,
    "eventType": "AwsApiCall",
}
  • What is the expected behavior (or behavior of feature suggested)?

It should just work πŸ˜‡

I've just modified source-action.ts granting read:

diff --git i/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts w/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
index 9cc1793a..d7760497 100644
--- i/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
+++ w/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
@@ -92,6 +92,7 @@ export class CodeCommitSourceAction extends Action {
     // the Action will write the contents of the Git repository to the Bucket,
     // so its Role needs write permissions to the Pipeline Bucket
     options.bucket.grantWrite(options.role);
+    options.bucket.grantRead(options.role);

     // https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp
     options.role.addToPolicy(new iam.PolicyStatement({

and it works correctly.

  • Please tell us about your environment:

    • CDK CLI Version:
    β”œβ”€β”€ @aws-cdk/aws-codebuild@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-codecommit@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-codepipeline@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-codepipeline-actions@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-events-targets@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-sns@0.36.1
    β”œβ”€β”€ @aws-cdk/aws-sns-subscriptions@0.36.1
    β”œβ”€β”€ @aws-cdk/core@0.36.1
    β”œβ”€β”€ @types/node@8.10.45
    β”œβ”€β”€ aws-cdk@0.36.1
    β”œβ”€β”€ source-map-support@0.5.12
    β”œβ”€β”€ ts-node@8.3.0
    └── typescript@3.5.2
    
    • OS: OSX Mojave
    • Language: TypeScript
@chernando chernando added the needs-triage This issue or PR still needs to be triaged. label Jul 2, 2019
@skinny85
Copy link
Contributor

skinny85 commented Jul 2, 2019

Hey @chernando ,

thanks for opening this issue! I confirm I was able to reproduce the issue on my side. Fix incoming.

Thanks,
Adam

@skinny85 skinny85 added bug This issue is a bug. @aws-cdk/aws-codepipeline Related to AWS CodePipeline and removed needs-triage This issue or PR still needs to be triaged. labels Jul 2, 2019
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jul 2, 2019
eladb pushed a commit that referenced this issue Jul 3, 2019
Kaixiang-AWS pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment