3

I am attempting to follow this example of setting up an AWS Pipeline for use across multiple accounts. I have the four different accounts set up. I've followed through on each step of the process successfully. No commands are generating any errors. The pipeline completes successfully. I can then connect to the pipeline and commit my code changes. In short, every single step up to the final one works as written in the documentation.

However, I'm then presented with an error on the initial trigger of the code commit:

Insufficient permissions The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named dbmigration. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::12345678912:assumed-role/my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 is not authorized to perform: codecommit:UploadArchive on resource: arn:aws:codecommit:us-east-2:123456789:dbmigration

The AWS Account I used to create the pipeline is not the root account, but an IAM Administrator login with admin privileges across the account. I've tried adding AWSCodeCommitFullAccess and AWSCodePipelineFullAccess, which I would have thought would have been part of Administration anyway. However, that didn't change anything.

My assumption is I've done something horribly wrong, but I'm not able to identify what that is. Any suggestions for better troubleshooting, let alone suggestions on how to fix it would be most welcome.

The code used to create the pipeline, again, run using the IAM login, Administrator, from a fourth AWS account, is as follows:

aws cloudformation deploy --stack-name my-pipeline `
--template-file db-migration-master.yml `
--parameter-overrides ProjectName=dbmigration `
EmailAddress=grant@scarydba.com `
DevAccountId=98765432123 `
TestAccountId=123456789012 `
ProdAccountID=210987654321 --capabilities CAPABILITY_NAMED_IAM

All the templates are from the linked article and not modified or customized.

Grant Fritchey
  • 2,645
  • 19
  • 21
  • 1
    The error is not about IAM user permissions. Its about `my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321` role not having permissions to act on the CC repo. Probably need to add missing permissions to this role. Have you tried that? – Marcin Jul 16 '20 at 11:27
  • Happy to give it a go. Which permission is it? Specifically on the repo? Wouldn't having AWSCodeCommitFullAccess take care of that? – Grant Fritchey Jul 16 '20 at 11:40
  • ah, I see what you're saying. The role. Sorry. Still learning. Checked it. It has AWSCodeCommitReadOnly permissions currently. – Grant Fritchey Jul 16 '20 at 11:41
  • Added the permission AWSCodeCommitPowerUser. It's still giving the same error message on the same resource. – Grant Fritchey Jul 16 '20 at 11:44
  • `AWSCodeCommitPowerUser` does not allow for `UploadArchive`. The `UploadArchive` action is "Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline". – Marcin Jul 16 '20 at 11:57
  • 1
    You can add the `UploadArchive` to the `my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321` as an [inline policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) and see how it goes. – Marcin Jul 16 '20 at 11:59
  • 1
    That did the trick. Course, the next step failed too. Yay. Off to troubleshoot it. You should make this into an answer so you get credit. Not sure why this permission wasn't included in the initial template. – Grant Fritchey Jul 16 '20 at 12:05
  • Glad to hear. Yes, I would be happy to make an answer. Thanks:-) – Marcin Jul 16 '20 at 12:06

1 Answers1

2

Based on the comments.

The error message indicated that the role my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 was missing permission codecommit:UploadArchive which:

Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline

The solution was to add the codecommit:UploadArchive to the role as an inline policy.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 1
    Not only did it solve the first problem, but the second & third problems with the pipeline were all permissions related for the pipeline role. So, evidently, the template may have missed a step somewhere along the way. Or, possibly, some stuff has changed internally in AWS Pipelines. Either way, this fixed all the issues. Thanks. – Grant Fritchey Jul 16 '20 at 12:17
  • @GrantFritchey No problem. Glad its working now. Its possible that since the blog was written, new permissions have been added. – Marcin Jul 16 '20 at 12:18