Using Bitbucket CodeStar Connection cross account

Question

Account A has CodeStar Connection (sort of Admin account)

Account B wants to create a CodePipeline using the CodeStar connection in account A.

What permissions or setup is needed to achieve this?

Using the connection ARN from account A in account B causes sourcing error in pipeline with message "The provided role does not have sufficient permissions".

Is there any restriction of the "region" of the connection ARN to be used?

Answer

Note that CodeStar Connection does not officially support sharing across accounts.  As a result, there is no direct way to have a CodeStar Connection (CSC) created in AccountA to trigger a CodePipeline in AccountB. CodeStar Connections will only trigger pipelines that are defined in the same account as the CodeStar Connection.

If you don't care about triggering the pipelines, then you can technically achieve this by:

1. Creating the CodeStar Connection in AccountA
2. Creating an IAM role in AccountA that has a trust policy allowing CodePipeline service in spoke accounts to assume it.  Make sure that the permissions policy on this IAM role has `codestar-connections:UseConnection` for the CodeStar Connection created in Step 1.
3. Use the IAM role from AccountA when defining the Source Action in the CodePipeline which resides in AccountB

Using Bitbucket CodeStar Connection cross account

관련 콘텐츠