Open niklaswesterstrahleknowit opened 1 week ago
Seems a continuation to this, after giving rights the next thing to fail is the generated pipeline.
cloudformation fails as the first step for code pipeline needs to be a source only, and the generated cdk wasn’t that.
Resource handler returned message: "Pipeline should start with a stage that only contains source actions (Service: CodePipeline, Status Code: 400, Request ID: 6c4626f0-70a0-43f5-bbdc-b8bf1686fdd722f)"
Hi @niklaswesterstrahleknowit,
With ADF v4.0, support for the GitHub v1 source provider is dropped in favor of CodeConnection (previously named CodeStar connection). AWS CodePipeline guidelines on this change can be found here: https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html
In the v4.0.0 release notes, the section named: "AWS CodeStar Connections OAuth Token support dropped" described this breaking change.
The v4.0.0 supported source providers are listed at: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/providers-guide.md#source Upgrading the connection should be fairly straightforward, you can find more info here: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/admin-guide.md#using-aws-codeconnections-for-bitbucket-github-github-enterprise-or-gitlab Please let us know if this resolves your issue.
Best regards, Simon
Is there an existing issue for this?
Describe the bug
After 4.0.0 update, our pipelines using GitHub as a source cannot be updated by the pipeline management.
The IAM role used for adf-pipeline-deployment is not allowed to perform secrets manager:GetSecret on /adf/github_token
Expected Behavior
Token is allowed to be read by the role.
Current Behavior
User: arn:aws:sts::xxxxxxxxxxx:assumed-role/adf-pipeline-deployment/AWSCloudFormation is not authorized to perform: secretsmanager:GetSecretValue on resource: /adf/github_token because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 7b6c9d9f-04f3-4575-8e59-5ac66fdfd56ee4e6; Proxy: null)
Steps To Reproduce
Have a pipeline use GitHub as a source with a token stored in secrets manager:
pipelines:
Possible Solution
Add rights to the role to read from secrets manager /adf/ path.
Additional Information/Context
No response
ADF Version
4.0.0
Contributing a fix?