1

I am trying to make use of a CodeStar connection that exists in Account A, in an Account B CodePipeline, however, I am currently getting the following error:

Unable to use Connection: arn:aws:codestar-connections:ap-southeast-2:xxxxxxxxxxxx:connection/xxxxxxxxxxxx. The provided role does not have sufficient permissions.

The role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "codestar-connections:UseConnection",
            "Resource": "arn:aws:codestar-connections:ap-southeast-2:xxxxxxxxxxxx:connection/xxxxxxxxxxxx"
        }
    ]
}

Do I need to configure anything in Account A to make Account B be able to use the CodeStar connection?

CJW
  • 710
  • 9
  • 26

1 Answers1

3

Unfortunately cross account connections cannot be set up.

If the method you described would work, you could simply fill in any account id / connection name to hijack someone's repo.

All resources that support cross account sharing have some type of resource based policy attached to them (think of S3 bucket policies, or KMS key policies). Connections do not have resource based policies and are also not supported by AWS Resource Access manager, so they can't be used in other accounts unfortunately. Set up the connection in the other account as well to make use of the repo.

LRutten
  • 1,634
  • 7
  • 17
  • Is this true even if you create a role in the target account that includes the codestar connection and then give sts:assumeRole to the source account? Can the source account explicitly assume the role of the role in the target account and then access the connection? – Zambonilli Apr 26 '22 at 22:41