aws-samples / aws-cross-account-cicd-pipeline

Example of how to use CDK to create a CodePipeline CI/CD pipeline, and how to configure it to deploy resources on different AWS Accounts.
MIT No Attribution
110 stars 37 forks source link

Access denied from production to develop SSM #33

Open rafaeldasilva opened 1 year ago

rafaeldasilva commented 1 year ago

The pipeline stop on the production deploy with error

AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: xoxoxoxoxox ; Proxy: null)

The fix was grant the SSM access on policy CloudFormationDeploymentPolicy

{
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath",
                "ssm:GetParameterHistory"
            ],
            "Resource": "arn:aws:ssm:*:235613696152:parameter/*"
}
aws-sagar commented 1 year ago

Adding to @rafaeldasilva 's note here.

The AccountId in the "Resource" key should be your production account Id. Additionally, if your stack fails with "Unable to fetch parameters [/cdk-bootstrap/hnb659fds/version] from parameter store for this account." it means your production account doesn't have the parameter configured. You might want to add it manually and retrigger the pipeline.