aws_codepipeline_actions: CloudFormationCreateUpdateStackAction cross account doesn't work #29552

danielbender1989 · 2024-03-20T12:53:51Z

Describe the bug

I am trying to create a cross account pipeline which deploys a cloudformation stack in a different account using the CloudFormationCreateUpdateStackAction action as described here When creating the action using the imported role from the target account, cloudformation tries to attach a policy to the role in the pipeline account which leads to an error.

Stage Definition:

const cfnRoleQa = iam.Role.fromRoleArn(this, "cfnRoleQa", qaAccountRoleArn);
const deployStage = pipeline.addStage({
      stageName: "Deploy",
      actions: [
        new codepipeline_actions.CloudFormationCreateUpdateStackAction({
          actionName: "CloudFormationCreateUpdate",
          stackName: cdk.Stack.of(this).stackName,
          role: cfnRoleQa,
          adminPermissions: true,
          cfnCapabilities: [cdk.CfnCapabilities.NAMED_IAM],
          templatePath: buildOutput.atPath("cdk.out/Main.template.json"),
        }),
      ],
    });

Expected Behavior

Additional policies which are attached to the role of the action should be attached in the target account and not in the pipeline account.

Current Behavior

Stack synthesizes and error is thrown during cloudformation deployment in pipeline account:

Resource handler returned message: "The role with name cdk-oac-cfn-exec-role-****-eu-central-1 cannot be found. (Service: Iam, Status Code: 404, Request ID: 27ec2f6b-110d-4556-a664-e0504ec5c126)" (RequestToken: bff8c0e2-eebc-8b10-7a16-df1d5ceec109, HandlerErrorCode: NotFound)

The error is thrown on a IAM Policy which grants access to the artifact bucket including KMS key.

Reproduction Steps

Follow the third example https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codepipeline-readme.html#cross-account-codepipelines

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.133.0 (build dcc1e75)

Framework Version

No response

Node.js Version

v18.17.1

OS

Windows

Language

TypeScript

Language Version

5.0.4

Other information

No response

The text was updated successfully, but these errors were encountered:

pahud · 2024-03-20T15:51:09Z

Please check the full sample at #27484 (comment) and let me know if it works for you.

danielbender1989 · 2024-03-21T08:32:11Z

With this example it works, thanks a lot. I think what confused me was that the cdk created deployRole is assigned to the role and not the deploymentRole attribute.

github-actions · 2024-03-21T08:32:30Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

danielbender1989 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 20, 2024

github-actions bot added the @aws-cdk/aws-codepipeline-actions label Mar 20, 2024

pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 20, 2024

danielbender1989 closed this as completed Mar 21, 2024

This was referenced Mar 25, 2024

Weekly issue metrics report #29601

Closed

Monthly issue metrics report #29667

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_codepipeline_actions: CloudFormationCreateUpdateStackAction cross account doesn't work #29552

aws_codepipeline_actions: CloudFormationCreateUpdateStackAction cross account doesn't work #29552

danielbender1989 commented Mar 20, 2024

pahud commented Mar 20, 2024

danielbender1989 commented Mar 21, 2024

github-actions bot commented Mar 21, 2024