- Más nuevo
- Más votos
- Más comentarios
It worked! I added the following Role to CodedPipeline synth_code_build_defaults parameter.
role_policy = [ iam.PolicyStatement( actions=[ "codeartifact:GetAuthorizationToken", "codeartifact:GetRepositoryEndpoint", "codeartifact:ReadFromRepository", ], resources=["*"], ), iam.PolicyStatement( actions=["sts:GetServiceBearerToken"], resources=["*"], conditions={ "StringEquals": {"sts:AWSServiceName": "codeartifact.amazonaws.com"} }, ), ] pipeline = CodePipeline( ... synth_code_build_defaults=CodeBuildOptions(role_policy=role_policy), )
Thank you!
When you define a build project you can give it a ServiceRole - "The ARN of the IAM role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account". Adding the right CodeArtifact permissions in that role should solve your problem.
I tried to pass the following Role to CodePipeline class.
role = iam.Role( self, "PipelineRole", role_name="PipelineRole", assumed_by=iam.ServicePrincipal("codepipeline.amazonaws.com"), inline_policies={ "AccessCodeArtifact": iam.PolicyDocument( statements=[ iam.PolicyStatement( actions=[ "s3:Abort*", "s3:DeleteObject*", "s3:GetBucket*", "s3:GetObject*", "s3:List*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "sts:AssumeRole", ], resources=["*"], ), iam.PolicyStatement( actions=[ "codeartifact:GetAuthorizationToken", "codeartifact:GetRepositoryEndpoint", "codeartifact:ReadFromRepository", ], resources=["*"], ), iam.PolicyStatement( actions=["sts:GetServiceBearerToken"], resources=["*"], ), ] ) }, )
But it didn't change the CodeBuild Role, giving the same error. The ShellStep construct doesn't seem to have a way to pass a Role. Also I guess this will override the auto generated Role. Is there any code example for setting up CDK Pipeline with CodeArtifact? Below the auto generated Role that CodeBuild is using.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0:*", "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0" ], "Effect": "Allow" }, { "Action": [ "codebuild:BatchPutCodeCoverages", "codebuild:BatchPutTestCases", "codebuild:CreateReport", "codebuild:CreateReportGroup", "codebuild:UpdateReport" ], "Resource": "arn:aws:codebuild:us-east-1:123456789012:report-group/PipelineBuildSynthCdkBuildP-FPjRaipET6w0-*", "Effect": "Allow" }, { "Action": [ "s3:Abort*", "s3:DeleteObject*", "s3:GetBucket*", "s3:GetObject*", "s3:List*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w", "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w/*" ], "Effect": "Allow" } ] }
You would want to pass your Role to the CodeBuild Project, not CodePipeline - see "role" (service role) in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.Project.html.
Contenido relevante
- ¿Cómo puedo hacer una llamada al SDK de AWS desde un proyecto de CDK mediante la interfaz AWSdkCall?OFICIAL DE AWSActualizada hace 10 meses
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 4 meses