Comments (3)
@vaibhavjain11 did you manage to fix this?
from aws-refarch-cross-account-pipeline.
Since the Artifact Store (the S3 bucket) is configured to use the CMK as its encryption key, whatever role of the Pipeline's stage that writes to the Artifact Store needs to have access to the CMK. In the case of the GitHub Pipeline Stage, no IAM Role can be attached to this stage, as it defaults to the Code Pipeline's service role. This means the Code Pipeline's service role needs to have access to the CMK.
To fix this issue, in ToolsAcct/pre-reqs.yaml
, update the statement of the KMSKey
resource's KeyPolicy
from:
Statement:
-
Sid: Allows admin of the key
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
-
Sid: Allow use of the key for CryptoGraphy Lambda
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${ProductionAccount}:root
- !Sub arn:aws:iam::${TestAccount}:root
- !Sub arn:aws:iam::${DevAccount}:root
- !If
- AddCodeBuildResource
- !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
- !Ref AWS::NoValue
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: "*"
To:
Statement:
-
Sid: Allows admin of the key
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
-
Sid: Allow use of the key for CryptoGraphy Lambda
Effect: Allow
Principal:
AWS:
- !Sub arn:aws:iam::${ProductionAccount}:root
- !Sub arn:aws:iam::${TestAccount}:root
- !Sub arn:aws:iam::${DevAccount}:root
- !If
- AddCodeBuildResource
- !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
- !Ref AWS::NoValue
- !If
- AddCodeBuildResource
- !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-codepipeline-role
- !Ref AWS::NoValue
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: "*"
Where the difference is the inclusion of the CodePipeline's service role.
from aws-refarch-cross-account-pipeline.
I have this same issue and would like to know if there's a fix I'm missing.
from aws-refarch-cross-account-pipeline.
Related Issues (12)
- Insufficient Permissions on S3 Bucket in Source Stage HOT 9
- What makes the Pipeline point to another account? HOT 3
- Cross-account region specification HOT 1
- Question - where is the ToolsAcctCodePipelineCodeCommitRole created? HOT 1
- codepipeline failed @ codebuild stage
- BuildProject Type linuxContainer deprecated
- Deploying different lambdas without replacing the previously deployed lambda
- I got a below issue when I run my aws code pipeline. HOT 28
- Missing DependsOn: PipelinePolicy in the CodePipeline resource
- How we can use this with GitHub HOT 1
- The codebuild project is missing a KMSKey parameter HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-refarch-cross-account-pipeline.