Open maletor opened 3 years ago
maletor
commented
3 years ago Channeling @skinny85 because he seems to be really knowledgable about this stuff.
Cross account source action where the codestar-connection is on another account. How do we do it? (This will work even for GitHub Enterprise connections that have a VPN right?)
skinny85
commented
3 years ago Hey @maletor ,
thanks for opening the issue. You have to make sure that Role that you created in the other account that has codestar-connections:UseConnection permissions also has permissions to write to the S3 Bucket of the Pipeline.
I think the CodeStarConnectionsSourceAction should probably parse the ARN, and detect when the account/region given inside of it is different than the Pipeline's account/region, and then act accordingly.
Leaving this as open as a feature request.
Thanks, Adam
AntonD-KO
commented
2 years ago Hey @skinny85 ,
Does DetectChanges option works for Code Pipeline that is using cross account code star connection. It looks like any change to the repo triggers only the pipeline that is in the same account as the connection, but not the one that is in another account, while manual pipeline start works and grabs latest commit. Any information available on that?
skinny85
commented
2 years ago Hey @AntonD-KO,
I actually don't know 🙂. If you have Premium Support, you can open a question to the CodeStar Connections team. They should let you know if using the source Action cross-account works or not.
Thanks, Adam
How can I use the CodeStarConnectionsSourceAction to connect to a cross account
arn:aws:codestar-connectionsresource?The other account has the resource
arn:aws:codestar-connections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f. It's all wired up and works.I tried to create a policy of:
And allow the pipeline account to assume that role as a trusted principal.
Then I add:
Then CodePipeline assumes that role so it can use that codestar connection, but it fails with some missing S3 permissions.
How to resolve?