By using AWS re:Post, you agree to the Terms of Use

Using Bitbucket CodeStar Connection cross account


Account A has CodeStar Connection (sort of Admin account)

Account B wants to create a CodePipeline using the CodeStar connection in account A.

What permissions or setup is needed to achieve this?

Using the connection ARN from account A in account B causes sourcing error in pipeline with message "The provided role does not have sufficient permissions".

Is there any restriction of the "region" of the connection ARN to be used?

asked 8 months ago183 views
1 Answer

Note that CodeStar Connection does not officially support sharing across accounts. As a result, there is no direct way to have a CodeStar Connection (CSC) created in AccountA to trigger a CodePipeline in AccountB. CodeStar Connections will only trigger pipelines that are defined in the same account as the CodeStar Connection.

If you don't care about triggering the pipelines, then you can technically achieve this by:

  1. Creating the CodeStar Connection in AccountA
  2. Creating an IAM role in AccountA that has a trust policy allowing CodePipeline service in spoke accounts to assume it. Make sure that the permissions policy on this IAM role has codestar-connections:UseConnection for the CodeStar Connection created in Step 1.
  3. Use the IAM role from AccountA when defining the Source Action in the CodePipeline which resides in AccountB
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions