v1.6.1
What's Changed
Manual actions required
ONLY if you are upgrading!
In the first run the CodePipeline will fail in the CDK Synth
stage if no additional changes are done:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::111111111111:assumed-role/SOME ROLE/... is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/cdk-hnb659fds-lookup-role-22222222222-eu-west-1
CodeBuild needs additional permissions to assume the IAM role in the CDK Synth stage. Since we cannot update this CodeBuild stage without running it, the permissions need to be added manually.
Upgrading from V1.6.0 to v1.6.1
The role that we need to update is a role named <PREFIX>-<GITBRANCH>-codebuild-baseline-role
. It will say it in the error message in the CodeBuild logs
- Go to the IAM role (
<PREFIX>-<GITBRANCH>-codebuild-baseline-role
) and click onAdd permissions
>Create inline policy
The policy of the Codebuild execution role need to include the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/cdk-hnb659fds-lookup-role*"
}
]
}
- After the pipeline has successfully run, go back to the IAM role and remove the manually added policy. The policy is now added as part of infrastructure as code.
Upgrading from <V1.6.0 to v1.6.1
The error points at a different role some. A role created by CDK that looks like the following in the CodeBuild logs:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts:::111111111111:assumed-role/dataall-sbx8-cicd-stack-dataallsbx8cdkpipelinePipe-HMXY7D9OX4FM/AWSCodeBuild-30c50765-4529-4d20-99ce-88f82139a82c is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::22222222222:role/cdk-hnb659fds-lookup-role-22222222222-eu-west-1
We find the role and update it as we explained in the "Upgrading from V1.6.0 to v1.6.1" section.
Once that is done, retry the CodeBuild Synth stage. In this case you do NOT need to cleanup the manually added policies as this role will be deleted.
Full Changelog: v1.6.0...v1.6.1