search

awslabs / aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Apache License 2.0
658 stars 227 forks source link

[Bug]: GitHub integration broken, not allowed to read token #761

Open niklaswesterstrahleknowit opened 1 week ago

niklaswesterstrahleknowit commented 1 week ago

Is there an existing issue for this?

Describe the bug

After 4.0.0 update, our pipelines using GitHub as a source cannot be updated by the pipeline management.

The IAM role used for adf-pipeline-deployment is not allowed to perform secrets manager:GetSecret on /adf/github_token

Expected Behavior

Token is allowed to be read by the role.

Current Behavior

User: arn:aws:sts::xxxxxxxxxxx:assumed-role/adf-pipeline-deployment/AWSCloudFormation is not authorized to perform: secretsmanager:GetSecretValue on resource: /adf/github_token because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 7b6c9d9f-04f3-4575-8e59-5ac66fdfd56ee4e6; Proxy: null)

Steps To Reproduce

Have a pipeline use GitHub as a source with a token stored in secrets manager:

pipelines:

Possible Solution

Add rights to the role to read from secrets manager /adf/ path.

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

niklaswesterstrahleknowit commented 1 week ago

Seems a continuation to this, after giving rights the next thing to fail is the generated pipeline.

cloudformation fails as the first step for code pipeline needs to be a source only, and the generated cdk wasn’t that.

Resource handler returned message: "Pipeline should start with a stage that only contains source actions (Service: CodePipeline, Status Code: 400, Request ID: 6c4626f0-70a0-43f5-bbdc-b8bf1686fdd722f)"

sbkok commented 2 days ago

Hi @niklaswesterstrahleknowit,

With ADF v4.0, support for the GitHub v1 source provider is dropped in favor of CodeConnection (previously named CodeStar connection). AWS CodePipeline guidelines on this change can be found here: https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html

In the v4.0.0 release notes, the section named: "AWS CodeStar Connections OAuth Token support dropped" described this breaking change.

The v4.0.0 supported source providers are listed at: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/providers-guide.md#source Upgrading the connection should be fairly straightforward, you can find more info here: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/admin-guide.md#using-aws-codeconnections-for-bitbucket-github-github-enterprise-or-gitlab Please let us know if this resolves your issue.

Best regards, Simon