6

I'm trying to set up CodeBuild with a CodeCommit source that lives in another AWS account. I believe this can be done using AssumeRole but I've had no luck. Can anyone help provide an example of how to make CodeBuild assume a role specified in another account to access a CodeCommit repo?

Currently my CodeBuild role (in account 22222222) includes the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::11111111:role/Read-CodeCommit"
        }
    ]
}

In account 11111111 I have the Read-CodeCommit role has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "codecommit:*"
            ],
            "Resource": "arn:aws:codecommit:us-west-2:11111111:dashboard"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "codecommit:ListRepositories",
            "Resource": "*"
        }
    ]
}

Read-CodeCommit has the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::22222222:root",
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Edit: Posting a solution I came up with for anyone who might face a similar issue.

The best I could manage was just to side-step the issue. Instead of setting up CodeCommit as a source, I'm using a custom ECR image which includes CodeCommit credentials. The buildspec then clones from the repo.

It's not as clean as I like but it gets the job done.

Spencer
  • 61
  • 3
  • 1
    It's a year and a half later, and as best I can tell, this is still not possible? Strange, because CodePipeline can do cross account (which is what we've been using), but we're trying to set up more dynamic builds that reference pull requests, and it doesn't appear as though CodeBuild can access CodeCommit in another account. – Jon Nichols Oct 08 '20 at 03:20
  • i also can't see how this is possible given the inputs you're provide to codebuild. – rix Nov 01 '20 at 11:04
  • 1
    Any idea if anything has changed on this? I am trying to replicate 2 builds on both dev & prod accounts which have the codecommit source from the dev account. – Ron May 17 '21 at 17:02
  • I am now also struggling for quite a while with solving that issue...it seems like this is still not possible... – Michael Aicher Aug 23 '22 at 16:39
  • Does anyone know where we can upvote a ticket on AWS for this? – Setjmp Apr 04 '23 at 01:03

0 Answers0