CodePipeline -> CodeDeploy blue/green ECS Insufficient permissions

0

I'm trying to set up CodePipeline to do a blue/green CodeDeploy in a different account. I've been following the documentation at https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html and https://docs.aws.amazon.com/AmazonECS/latest/developerguide/codedeploy_IAM_role.html

So far the CodeDeploy deployment works in the deployment account, but I cannot get the Pipeline step to invoke it.

I have three IAM roles involved. In the build account the CodePipeline role has permission to assume the Deployment role in the deployment account. The Deployment role has permission to invoke CodeDeploy and read the shared S3 bucket and KMS key (both are held in the build account and have policies allowing the deployment account access). The CodeDeploy role has all the permissions documented to do a blue/green deployment.

The only error I get is "Insufficient permissions
The provided role does not have sufficient permissions to access CodeDeploy", but the role passed in to CodePipeline has full access to CodeDeploy. There must be a permission I'm missing but given the lack of information I cannot figure out what it is.

asked 5 years ago1456 views
3 Answers
0

After more investigation I've found the API event in CloudTrail. It's getting

{  [...]
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::xxxx:assumed-role/codedeploy_pipeline_xxxx_test/xxxx is not authorized to perform: codedeploy:GetApplication on resource: arn:aws:codedeploy:ap-southeast-2:xxxx:application:xxxx-test",
}

but the IAM policy document for that role contains

        {
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },

It was more restrictive but I added the wildcard to try to debug. The policy simulator says GetApplication should work.

answered 5 years ago
0

After even more digging through CloudTrail I discovered the root was a missing iam:PassRole for the ECS container role. This was present on the CodeDeploy role but not on the role passed to CodePipeline to invoke CodeDeploy. The final policy for the CodeDeploy role is

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": [
            "codedeploy:CreateDeployment",
            "codedeploy:GetDeployment",
            "codedeploy:GetDeploymentConfig",
            "codedeploy:GetApplicationRevision",
            "codedeploy:RegisterApplicationRevision",
            "codedeploy:GetApplication",
            "ecs:RegisterTaskDefinition"
        ],
        "Resource": "*",
        "Effect": "Allow"
    },
    {
        "Action": [
            "s3:GetObject*",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "arn:aws:s3:::deployment_intermediate_bucket/*",
        "Effect": "Allow"
    },
    {
        "Action": [ "s3:ListBucket"],
        "Resource": "arn:aws:s3:::deployment_intermediate_bucket",
        "Effect": "Allow"
    },
    {
        "Effect": "Allow",
        "Action": [
            "kms:DescribeKey",
            "kms:GenerateDataKey*",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:Decrypt"
        ],
        "Resource": [
            "${var.deployment_kms_key_arn}"
        ]
    },
    {
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "ecs_container_role_arn"
    }
  ]
}

I'm going to try to lock this down some more, in particular the PassRole. The condition string used on the CodeDeploy side didn't seem to work, but I may have entered it wrong.

Edited by: phillipion on Jun 27, 2019 3:54 PM

answered 5 years ago
0

How did it go?

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions