How do I configure a CodePipeline source stage with a cross-account CodeCommit repository?

Resolution

Note: CodeCommit isn't available to new customers. Existing CodeCommit customers can continue to use the service. For more information, see How to migrate your AWS CodeCommit repository to another Git provider.

The following resolution uses Account A for the CodeCommit repository and Account B for CodePipeline.

Create a CodeCommit repository in Account A

To create a CodeCommit repository in Account A, see Create an AWS CodeCommit repository.

Configure a cross-account role in Account A

Complete the following steps:

1. Open the AWS Identity and Access Management (IAM) console in Account A.
2. In the navigation pane, choose Roles.
3. Choose Create a new role, and then complete the following steps:
   Choose AWS account as the trusted entity type.
   Choose Another AWS account, and then enter Account B's ID.
   Enter the IAM role's name, for example cross-account-access-role.
4. Create an IAM role with the following trust policy:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::example-account-b:root"
               },
               "Action": "sts:AssumeRole",
               "Condition": {}
           }
       ]
   }

   Note: Replace example-account-b with the Account B ID.

Create an AWS KMS key to use with CodePipeline in Account B

Note: You must use the AWS Key Management Service (AWS KMS) customer managed key for cross-account deployments. If you don't configure the key, then CodePipeline encrypts the objects with the default encryption and the destination account role can't decrypt the objects.

Complete the following steps:

1. Open the AWS KMS console in Account B.
2. In the navigation pane, choose Customer managed keys, and then complete the following steps:
   For Key type, choose Symmetric.
   For Key usage, choose Encrypt and decrypt.
3. Expand Advanced options, and then complete the following steps:
   For Key material origin, choose KMS.
   For Alias, enter your key's alias, for example cmk-key.
   For Key Administrator, select the IAM identity that you want to grant key admin access to.
4. In the Other AWS accounts section, choose Add another AWS account.
5. Enter Account A's ID.
6. Choose Finish.

Create a CodePipeline in Account B

Complete the following steps:

1. Open the CodePipeline console.
2. Choose Create pipeline, and then name the pipeline, for example account\_B\_pipeline.
   Note: The Role name text box automatically populates with the AWSCodePipelineServiceRole-ap-southeast-2-account\_B\_pipeline service role name. You can also choose an existing service role that has access to the AWS KMS key.
3. Expand Advanced settings, and then complete the following steps:
   For Artifact store, choose Default location. If needed, you can choose Custom location.
   For Encryption Key, choose Customer Managed Key, and then choose cmk-key on the dropdown list.
   For Source provider, choose CodeCommit.
   For Repository name, enter the repository name, for example account-a-repository with the branch name as main.
4. On the Add build stage page, choose Skip build stage, and then choose Skip.
5. On the Add deploy stage page, for Deploy provider, choose a service.
6. Choose Next to create the pipeline.

Note: If you receive the following error message after you create the pipeline, then see the Update your pipeline to use the cross-account role section of this resolution.

Error message:

"The action failed because no AWS CodeCommit repository named account-a-repository was found. Make sure you are using the correct repository name, and then try again. Error: account-a-repository"

Update the AWS KMS usage policy in Account B

Complete the following steps:

1. Open the AWS KMS console in Account B.
2. In the Navigation pane, choose Customer managed keys.
3. In the table, select your key's alias, for example cmk-key.
4. In the Key users section, choose Add.
5. Enter the pipeline service role, for example AWSCodePipelineServiceRole-ap-southeast-2-account\_B\_pipeline.
6. Add the pipeline service role to AWS KMS key policy. The following is an example of the key policy:

   {
       "Id": "key-consolepolicy-3",
       "Version": "2012-10-17",
       "Statement": [{
           "Sid": "Enable IAM User Permissions",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::example-account-b:root"
           },
           "Action": "kms:*",
           "Resource": "*"
       }, {
           "Sid": "Allow use of the key",
           "Effect": "Allow",
           "Principal": {
               "AWS": ["arn:aws:iam::example-account-b:role/example-service-role/AWSCodePipelineServiceRole-ap-southeast-2-account_B_pipeline", "arn:aws:iam::<Account_A>:root"]
           },
           "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"],
           "Resource": "*"
       }, {
           "Sid": "Allow attachment of persistent resources",
           "Effect": "Allow",
           "Principal": {
               "AWS": ["arn:aws:iam::example-account-b>:role/example-service-role/AWSCodePipelineServiceRole-ap-southeast-2-Account_B_pipeline", "arn:aws:iam::example-account-a:root"]
           },
           "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"],
           "Resource": "*",
           "Condition": {
               "Bool": {
                   "kms:GrantIsForAWSResource": "true"
               }
           }
       }]
   }

Set up the assume role policy in Account B

Complete the following steps:

1. Open the IAM console in Account B.

2. In the Navigation pane, choose Roles, and then select your pipeline role.

3. Add the following policy to the pipeline role that assumes Account A's role:

   {
       "Version": "2012-10-17",
       "Statement": {
           "Effect": "Allow",
           "Action": "sts:AssumeRole",
           "Resource": [
               "arn:aws:iam::example-account-a:example-pipeline-role/*"
           ]
       }
   }

   Note: Replace example-account-A with Account A and example-pipeline-role with the pipeline role.

Update the bucket policy for the CodePipeline artifact bucket in Account B

Complete the following steps:

1. Open the Amazon Simple Storage Service (Amazon S3) console in Account B.

2. In the Navigation pane, choose Buckets, and then select your pipeline bucket.

3. Choose Permissions, and then choose Bucket Policy.

4. In the text editor, update your policy to include the following policy statements:

   {
       "Version": "2012-10-17",
       "Id": "example-policy-id",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Principal": {
                   "AWS": ["arn:aws:iam::example-account-a-id:root", "arn:aws:iam::example-account-b-id:root"]
               },
               "Action": [
                   "s3:Get*",
                   "s3:Put*"
               ],
               "Resource": "arn:aws:s3:::example-pipeline-bucket/*"
           },
           {
               "Sid": "",
               "Effect": "Allow",
               "Principal": {
                   "AWS": ["arn:aws:iam::example-account-a-id:root", "arn:aws:iam::example-account-b-id:root"]
               },
               "Action": "s3:ListBucket",
               "Resource": "arn:aws:s3:::example-pipeline-bucket"
           }
       ]
   }

   Note: To correctly align with the JSON format, add a comma after the existing statements. Replace example-policy-id with your policy ID, example-account-a-id with your Account A's ID, example-account-b-id with your Account B's ID, and example-pipeline-bucket with the pipeline bucket name.

Create an inline IAM policy for Account A that grants permission to use the AWS KMS key for Account B

Complete the following steps:

1. Open the IAM console in Account A.
2. In the Navigation pane, choose Roles, and then select your cross-account-access-role.
3. Choose Create inline policy.
4. On the JSON tab, enter the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "kms:DescribeKey",
           "kms:GenerateDataKey*",
           "kms:Encrypt",
           "kms:ReEncrypt*",
           "kms:Decrypt"
         ],
         "Resource": [
           "arn:aws:kms:ap-southeast-2:example-account-b-id:key/example-key-id"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "s3:Put*"
         ],
         "Resource": [
           "arn:aws:s3:::example-pipeline-artifact-bucket-arn/*"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::example-pipeline-artifact-bucket-arn"
         ]
       }
     ]
   }

   Note: Replace example-account-b-id with Account B's ID, example-key-id with the AWS KMS key ARN, and example-pipeline-artifact-bucket-arn with the pipeline artifact bucket ARN.
5. Choose Review policy, and then create the policy.

Update your pipeline to use the cross-account role

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

1. To retrieve the pipeline definition from a file that's named codepipeline.json, run the get-pipeline command:

   aws codepipeline get-pipeline --name example-account-b-pipeline > codepipeline.json

   Note: Replace example-account-b-pipeline with Account B's pipeline name.

2. Add the cross-account IAM role ARN to the Source stage of the codepipeline.json file:

   {
     "name": "Source",
     "actions": [
       {
         "name": "Source",
         "actionTypeId": {
           "category": "Source",
           "owner": "AWS",
           "provider": "CodeCommit",
           "version": "1"
        },
         "runOrder": 1,
         "roleArn": "arn:aws:iam::example-account-a-id:role/example-cross-account-access-role",
         "configuration": {
           "BranchName": "main",
           "OutputArtifactFormat": "CODE_ZIP",
           "PollForSourceChanges": "false",
           "RepositoryName": "example-account-a-repository"
         },
         "outputArtifacts": [ 
           {
             "name": "SourceArtifact"
           }
         ],
         "inputArtifacts": [],
         "region": "example-region",
         "namespace": "SourceVariables"
       }
     ]
   }

   Note: Replace example-account-a-id with Account A's ID, example-cross-account-access-role with the cross-account role, example-account-a-repository with Account A's repository, and example-region with your AWS Region.

3. Remove the metadata section that's located at the end of the codepipeline.json file. Also, remove the comma that's located before the metadata section.
   Example:

   "metadata": {
       "pipelineArn": "arn:aws:codepipeline:ap-southeast-2:12345678912:Account_B_pipeline",
       "created": "2023-01-11T05:09:20.235000+00:00",
       "updated": "2023-01-11T17:34:37.294000+00:00"
   }

4. To update the pipeline, run the update-pipeline command:

   aws codepipeline update-pipeline --cli-input-json example-codepipeline.json

   Note: Replace example-codepipeline.json with the pipeline JSON file.

Note: You can also use the preceding resolution to use CodeCommit or Amazon S3 from a different AWS account on other AWS services. To do this, integrate the AWS service in the pipeline stages with the source stage from a different account. For more information, see Create a pipeline in CodePipeline that uses resources from another AWS account.