Open g-andrade opened 1 year ago
It's possible to restrict cross-account deploys to a specific externalId in IAM role policies.
externalId
Up until the present fix, however, such deploys with a custom externalId fail with HTTP 403 forbidden; removing the restriction from the IAM policy instantly allows for the deploy to happen.
My understanding of what's happening is:
AWSCodeDeployPublisher
"iamRoleArn"
Functional:
AWSCodeDeployPublisher.externalId
Tooling-related:
[*] closes #107, #115 and #116
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue
It's possible to restrict cross-account deploys to a specific
externalIdin IAM role policies.Up until the present fix, however, such deploys with a custom
externalIdfail with HTTP 403 forbidden; removing the restriction from the IAM policy instantly allows for the deploy to happen.My understanding of what's happening is:
AWSCodeDeployPublisherinstance receives theexternalIdthrough its constructor and saves it: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L108-L130"iamRoleArn"as credentials, the instance will retrieveexternalIdfrom the descriptor: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L204-L207externalIdrandomly: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L460-L464Description of changes
Functional:
AWSCodeDeployPublisher.externalIdinstead of the descriptor'sTooling-related:
[*] closes #107, #115 and #116
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.