Open eruvanos opened 2 years ago
Thanks @eruvanos for this feature request. We initially didn't do it because during bootstrap we don't know what CICD system will be chosen at the time of init. However, this is a valid request and we'll certainly look into it.
Thanks Tarun
Same thing as @eruvanos when running sam pipeline bootstrap
$ sam --version
SAM CLI, version 1.76.0
$ sam pipeline bootstrap
sam pipeline bootstrap generates the required AWS infrastructure resources to connect
to your CI/CD system. This step must be run for each deployment stage in your pipeline,
prior to running the sam pipeline init command.
We will ask for [1] stage definition, [2] account details, and
[3] references to existing resources in order to bootstrap these pipeline resources.
[1] Stage definition
Enter a configuration name for this stage. This will be referenced later when you use the sam pipeline init command:
Stage configuration name: project
[2] Account details
The following AWS credential sources are available to use.
To know more about configuration AWS credentials, visit the link below:
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
1 - Environment variables (not available)
2 - default (named profile)
3 - email@corp.com (named profile)
4 - nonprod-role-administratorAccess (named profile)
5 - xxxxxx (named profile)
6 - xxxxxx (named profile)
q - Quit and configure AWS credentials
Select a credential source to associate with this stage: 4
Associated account 999999999999 with configuration project.
Select a user permissions provider:
1 - IAM (default)
2 - OpenID Connect (OIDC)
Choice (1, 2): 1
Enter the pipeline IAM user ARN if you have previously created one, or we will create one for you []:
[3] Reference application build resources
Enter the pipeline execution role ARN if you have previously created one, or we will create one for you []:
Enter the CloudFormation execution role ARN if you have previously created one, or we will create one for you []:
Please enter the artifact bucket ARN for your Lambda function. If you do not have a bucket, we will create one for you []: arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-abcdefgh123
Does your application contain any IMAGE type Lambda functions? [y/N]:
[4] Summary
Below is the summary of the answers:
1 - Account: 999999999999
2 - Stage configuration name: project
3 - Region: eu-west-1
4 - Pipeline user: [to be created]
5 - Pipeline execution role: [to be created]
6 - CloudFormation execution role: [to be created]
7 - Artifacts bucket ARN: arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-abcdefgh123
8 - ECR image repository: [skipped]
Press enter to confirm the values above, or select an item to edit the value:
This will create the following required resources for the 'project' configuration:
- Pipeline IAM user
- Pipeline execution role
- CloudFormation execution role
Should we proceed with the creation? [y/N]: y
Creating the required resources...
Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once
CloudFormation stack creation fails during event with Logical ID: PipelineUser Status: CREATE_FAILED
API: iam:CreateUser User: arn:aws:sts::999999999999:assumed-role/role-administratorAccess/botocore-session-1679063532
is not authorized to perform: iam:CreateUser on resource:
arn:aws:iam::999999999999:user/aws-sam-cli-managed-project-pipeline-PipelineUser-109CLZF59YZCM
with an explicit deny in a service control policy
User are not allowed because IAM> Identity providers is use with a SAML provider define (in my case https://www.onelogin.com/ OnPremise)
Any workaround ?
Plus 1 here for enterprise SSO capability.
Plus 1 here for enterprise SSO / AWS control tower capability.
Describe your idea/feature/enhancement
In our corporate environment the creation of IAM users is not permitted. For that reason I looked out for an option to skip the creation of it. In a CodePipeline setup, the user should not be required, also I did not find any reference within the pipeline templates.
Proposal
Introduce option to skip IAM user creation while sam pipeline bootstrap.