Open skinny85 opened 2 years ago
You can pass a codepipeline.Pipeline
to CodePipeline
. It can be initialized with the role you need.
Yep, that's what I recommended the customer do, but it's pretty non-trivial to figure out. A property in the construct props would make it more discoverable.
Still don't really agree. We should control better for policy size, or injecting, instead.
For reference: I just deployed a fix following the advice by @skinny85 which essentially (besides a narrower policy) looks like the code below:
The stack redeployed and kept its resources. I had to pull out the cross account property tough.
// Oversimplified policy
const codePipelineRole = new Role(this, 'CodePipelineRole', {
assumedBy: new ServicePrincipal('codepipeline.amazonaws.com'),
roleName: cdk.PhysicalName.GENERATE_IF_NEEDED,
inlinePolicies: {
rootPermissions: new PolicyDocument({
statements: [
new PolicyStatement({
resources: ['*'],
actions: ['*'],
}),
],
}),
}
})
// Need to pull out `crossAccountKeys`
const codePipeline = new Pipeline(this, 'CodePipeline', {
crossAccountKeys: true,
role: codePipelineRole.withoutPolicyUpdates()
})
const pipeline = new CodePipeline(this, 'Pipeline', {
codePipeline: codePipeline,
...
})
Update: Just found the docs for that: AWS CDK V1: https://docs.aws.amazon.com/cdk/api/v1/docs/aws-iam-readme.html#opting-out-of-automatic-permissions-management AWS_CDK V2: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam-readme.html#opting-out-of-automatic-permissions-management
Update 2: I somehow broke stuff, so not sure if it actually works
Hello @rix0rrr ,
I am trying to solve for the same problem; i.e to pass a role to the pipelines.CodePipeline
. I am trying to do this in python
.
the official cdk documentation for CDK Pipeline Here there seems to be a role
parameter. But in the class definition it does not seem to have it and throws and error when I cdk deploy
Code Snippet.
class WorkshopPipelineStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
codepipeline_role = iam.Role.from_role_arn(self, "Role", "arn:aws:iam::<account>:role/<pre-existing-role>",
# Set 'mutable' to 'false' to use the role as-is and prevent adding new
# policies to it. The default is 'true', which means the role may be
# modified as part of the deployment.
mutable=False
)
kms_key = aws_kms.Key.from_key_arn(self,"<kms-key>", "arn:aws:kms:us-east-1:account-number:key/<key>")
pipeline_bucket = aws_s3.Bucket(self, '<bucket-name>',encryption_key=kms_key)
pipeline = pipelines.CodePipeline(self,
"<pipeline-name>",
synth=pipelines.ShellStep(
"Synth",
input=pipelines.CodePipelineSource.connection("<org/repo>", "<branch>",
connection_arn="arn:aws:codestar-connections:<connection>"
),
commands=[
"npm install -g aws-cdk", # Installs the cdk cli on Codebuild
"pip install -r requirements.txt", # Instructs Codebuild to install required packages
"cdk synth",
]
),
role = codepipeline_role
)
Error
Traceback (most recent call last):
File "C:\Users\aramji\Desktop\aws-cdk\app.py", line 7, in <module>
WorkshopPipelineStack(app, "cmg-datasvc-cdk-codepipeline-test",
File "C:\Users\aramji\Envs\aws-cdk\lib\site-packages\jsii\_runtime.py", line 86, in __call__
inst = super().__call__(*args, **kwargs)
File "C:\Users\aramji\aws-cdk\cdk_workshop\pipeline_stack.py", line 41, in __init__
pipeline = pipelines.CodePipeline(self,
File "C:\Users\aramji\Envs\aws-cdk\lib\site-packages\jsii\_runtime.py", line 86, in __call__
inst = super().__call__(*args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'role'
Subprocess exited with error 1
Could you kindly help on the same?
Thanks, Ani
@ac259 what version of CDK are you using?
@skinny85 I was using an older 2.x version but I upgraded to the 2.47.0 and tested again.
(aws-cdk) C:\Users\aramji\Desktop\aws-cdk>cdk --version
2.47.0 (build 3528e3d)
I'm asking about the libraries, though; not the CDK CLI version. You'll find their version in the requirements.txt
(or just execute pip list
). The libraries determine whether you have access to this feature or not.
It was released in version 2.35.0
, so you need your libraries to be at least at that version.
@skinny85 thank you so much - I was on an earlier version of the library. Was able to get it to work!
Description
Because of https://github.com/aws/aws-cdk/issues/16244, customers have to sometimes create a Role manually and control its permissions.
We should make that easy in
CodePipeline
.Use Case
See above.
Proposed Solution
Add a new property
role
to theCodePipeline
construct.Other information
No response
Acknowledge