I have been playing with AWS CDK and was working on building a code pipeline stack on my AWS educate account. The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a role for the code pipeline action whose Principle is ARN of the root account. So it doesn't have the permission to perform assume the role on the root account.
Action code:
 {
  stageName: "Build",
    actions: [
      new codepipelineActions.CodeBuildAction(
        {
          actionName: "Build",
          input: sourceOutput,
          project: builder
        }
      )
    ]
}
Cloudformation Template Output:
"devPipelineBuildCodePipelineActionRole8696D056": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":iam::",
                      {
                        "Ref": "AWS::AccountId"
                      },
                      ":root"
                    ]
                  ]
                }
              }
            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
      }
    }
...
{
  "Actions": [
    {
      "ActionTypeId": {
        "Category": "Build",
        "Owner": "AWS",
        "Provider": "CodeBuild",
        "Version": "1"
      },
      "Configuration": {
        "ProjectName": {
          "Ref": "BuildAndTestB9A2F419"
        }
      },
      "InputArtifacts": [
        {
          "Name": "SourceOutput"
        }
      ],
      "Name": "Build",
      "RoleArn": {
        "Fn::GetAtt": [
          "devPipelineBuildCodePipelineActionRole8696D056",
          "Arn"
        ]
      },
      "RunOrder": 1
    }
  ],
    "Name": "Build"
}
This will throw the error:
arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)
If I remove the RoleArn from the Action and execute the template it works.
My question is, How do I prevent CDK to prevent adding default role with Principle using the root account or a work around to it?
It looks like actions are not allowed to assume any role in AWS Educate currently. So to have a workaround and remove the manual overhead, use CDK L1 Constructs to modify the generated cloud formation.
The pipeline can be created like:
   // Custom role to pass in to pipeline
    const pipeLineRole = new iam.Role(this, "CodePipeLineRole", {
      assumedBy: new iam.ServicePrincipal("codepipeline.amazonaws.com"),
    });
    pipeLineRole.addToPolicy( 
      // Required policy for each aciton to run
    )
    const pipeline = new codepipeline.Pipeline(this, "Pipeline", {
      role: pipeLineRole,
      stages: [
        //  ...
        {
          actions: [action1, action2],
        },
        //  ...
      ],
    });
    // Altering cloudformation to remove role arn from actions
    const pipelineCfn = pipeline.node.defaultChild as cdk.CfnResource;
    // addDeletionOverride  removes the property from the cloudformation itself
    // Delete action arn for every stage and action created
    pipelineCfn.addDeletionOverride("Properties.Stages.1.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.2.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.3.Actions.0.RoleArn");
This is a workaround, it works, but there are still unwanted and dangling policies and roles created that have not been assigned to any service which had been created for individual actions.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With