Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Installing CDK package from CodeArtifact during CodePipeline build stage

0

I have some CDK constructs as Python packages built and published to CodeArtifact repository. Now I want to reuse these packages on my CDK app with CDK Pipeline. My code is this

pipeline = CodePipeline(
    self,
    "Pipeline",
    pipeline_name="MyApp",
    synth=ShellStep(
        "Synth",
        input=CodePipelineSource.connection(...),
        commands=[
            "pip3 install awscli --upgrade --user",
            "aws codeartifact login --tool pip --repository my-repo --domain my-domain --domain-owner 123456789012 --region us-east-1",
            "pip install -r requirements.txt",
            "npm install -g aws-cdk",
            "cdk synth",
        ],
    ),
)

But I am getting de following error:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::123456789012:assumed-role/MyAppPipelineStack-PipelineBuildSynthCdkBuildPr-OC8QO3ENNGDV/AWSCodeBuild-8cb5d5ee-c307-4742-bed6-51b0a0c36c48 is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:us-east-1:123456789012:domain/my-domain because no identity-based policy allows the codeartifact:GetAuthorizationToken action

I understand that this Roles don't have permissions to get this CodeArtifact repository, however I don't know how to setup CodePipeline. Does anyone know how to do it? Is there any tutorial that explains how to use private CDK packages in the CDK Pipeline build process?

Temas
Herramientas para desarrolladoresAWS Cloud Development Kit (CDK)
Etiquetas
AWS CodeBuildAWS CodePipelineAWS CodeArtifactAWS Cloud Development Kit (CDK)
Idioma
English
welliton
preguntada hace un año895 visualizaciones
4 Respuestas
1
Respuesta aceptada

It worked! I added the following Role to CodedPipeline synth_code_build_defaults parameter.

role_policy = [
    iam.PolicyStatement(
        actions=[
            "codeartifact:GetAuthorizationToken",
            "codeartifact:GetRepositoryEndpoint",
            "codeartifact:ReadFromRepository",
        ],
        resources=["*"],
    ),
    iam.PolicyStatement(
        actions=["sts:GetServiceBearerToken"],
        resources=["*"],
        conditions={
            "StringEquals": {"sts:AWSServiceName": "codeartifact.amazonaws.com"}
        },
    ),
]

pipeline = CodePipeline(
    ...
    synth_code_build_defaults=CodeBuildOptions(role_policy=role_policy),
)

Thank you!

welliton
respondido hace un año
0

When you define a build project you can give it a ServiceRole - "The ARN of the IAM role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account". Adding the right CodeArtifact permissions in that role should solve your problem.

EXPERTO
skinsman
respondido hace un año
0

I tried to pass the following Role to CodePipeline class.

role = iam.Role(
    self,
    "PipelineRole",
    role_name="PipelineRole",
    assumed_by=iam.ServicePrincipal("codepipeline.amazonaws.com"),
    inline_policies={
        "AccessCodeArtifact": iam.PolicyDocument(
            statements=[
                iam.PolicyStatement(
                    actions=[
                        "s3:Abort*",
                        "s3:DeleteObject*",
                        "s3:GetBucket*",
                        "s3:GetObject*",
                        "s3:List*",
                        "s3:PutObject",
                        "s3:PutObjectLegalHold",
                        "s3:PutObjectRetention",
                        "s3:PutObjectTagging",
                        "s3:PutObjectVersionTagging",
                        "sts:AssumeRole",
                    ],
                    resources=["*"],
                ),
                iam.PolicyStatement(
                    actions=[
                        "codeartifact:GetAuthorizationToken",
                        "codeartifact:GetRepositoryEndpoint",
                        "codeartifact:ReadFromRepository",
                    ],
                    resources=["*"],
                ),
                iam.PolicyStatement(
                    actions=["sts:GetServiceBearerToken"],
                    resources=["*"],
                ),
            ]
        )
    },
)

But it didn't change the CodeBuild Role, giving the same error. The ShellStep construct doesn't seem to have a way to pass a Role. Also I guess this will override the auto generated Role. Is there any code example for setting up CDK Pipeline with CodeArtifact? Below the auto generated Role that CodeBuild is using.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0:*",
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "codebuild:BatchPutCodeCoverages",
                "codebuild:BatchPutTestCases",
                "codebuild:CreateReport",
                "codebuild:CreateReportGroup",
                "codebuild:UpdateReport"
            ],
            "Resource": "arn:aws:codebuild:us-east-1:123456789012:report-group/PipelineBuildSynthCdkBuildP-FPjRaipET6w0-*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w",
                "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w/*"
            ],
            "Effect": "Allow"
        }
    ]
}
welliton
respondido hace un año
0

You would want to pass your Role to the CodeBuild Project, not CodePipeline - see "role" (service role) in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.Project.html.

EXPERTO
skinsman
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante