Skip to content

Commit bd46e49

Browse files
skinny85Elad Ben-Israel
skinny85
authored and
Elad Ben-Israel
committed
fix(codepipeline): grant the CodeCommit source Action read-write permissions to the Pipeline's Bucket. (#3175)
Fixes #3170
1 parent e36a8b7 commit bd46e49

8 files changed

+75
-26
lines changed

packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ export class CodeCommitSourceAction extends Action {
9191

9292
// the Action will write the contents of the Git repository to the Bucket,
9393
// so its Role needs write permissions to the Pipeline Bucket
94-
options.bucket.grantWrite(options.role);
94+
options.bucket.grantReadWrite(options.role);
9595

9696
// https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp
9797
options.role.addToPolicy(new iam.PolicyStatement({

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

+8-1
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,8 @@
6969
},
7070
{
7171
"Action": [
72+
"kms:Decrypt",
73+
"kms:DescribeKey",
7274
"kms:Encrypt",
7375
"kms:ReEncrypt*",
7476
"kms:GenerateDataKey*"
@@ -448,6 +450,9 @@
448450
"Statement": [
449451
{
450452
"Action": [
453+
"s3:GetObject*",
454+
"s3:GetBucket*",
455+
"s3:List*",
451456
"s3:DeleteObject*",
452457
"s3:PutObject*",
453458
"s3:Abort*"
@@ -478,6 +483,8 @@
478483
},
479484
{
480485
"Action": [
486+
"kms:Decrypt",
487+
"kms:DescribeKey",
481488
"kms:Encrypt",
482489
"kms:ReEncrypt*",
483490
"kms:GenerateDataKey*"
@@ -814,4 +821,4 @@
814821
}
815822
}
816823
}
817-
}
824+
}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

+15-1
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,8 @@
6262
},
6363
{
6464
"Action": [
65+
"kms:Decrypt",
66+
"kms:DescribeKey",
6567
"kms:Encrypt",
6668
"kms:ReEncrypt*",
6769
"kms:GenerateDataKey*"
@@ -79,6 +81,8 @@
7981
},
8082
{
8183
"Action": [
84+
"kms:Decrypt",
85+
"kms:DescribeKey",
8286
"kms:Encrypt",
8387
"kms:ReEncrypt*",
8488
"kms:GenerateDataKey*"
@@ -567,6 +571,9 @@
567571
"Statement": [
568572
{
569573
"Action": [
574+
"s3:GetObject*",
575+
"s3:GetBucket*",
576+
"s3:List*",
570577
"s3:DeleteObject*",
571578
"s3:PutObject*",
572579
"s3:Abort*"
@@ -597,6 +604,8 @@
597604
},
598605
{
599606
"Action": [
607+
"kms:Decrypt",
608+
"kms:DescribeKey",
600609
"kms:Encrypt",
601610
"kms:ReEncrypt*",
602611
"kms:GenerateDataKey*"
@@ -675,6 +684,9 @@
675684
"Statement": [
676685
{
677686
"Action": [
687+
"s3:GetObject*",
688+
"s3:GetBucket*",
689+
"s3:List*",
678690
"s3:DeleteObject*",
679691
"s3:PutObject*",
680692
"s3:Abort*"
@@ -705,6 +717,8 @@
705717
},
706718
{
707719
"Action": [
720+
"kms:Decrypt",
721+
"kms:DescribeKey",
708722
"kms:Encrypt",
709723
"kms:ReEncrypt*",
710724
"kms:GenerateDataKey*"
@@ -1610,4 +1624,4 @@
16101624
}
16111625
}
16121626
}
1613-
}
1627+
}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json

+23-23
Original file line numberDiff line numberDiff line change
@@ -158,9 +158,25 @@
158158
},
159159
{
160160
"Action": [
161-
"s3:DeleteObject*",
162-
"s3:PutObject*",
163-
"s3:Abort*"
161+
"codecommit:GetBranch",
162+
"codecommit:GetCommit",
163+
"codecommit:UploadArchive",
164+
"codecommit:GetUploadArchiveStatus",
165+
"codecommit:CancelUploadArchive"
166+
],
167+
"Effect": "Allow",
168+
"Resource": {
169+
"Fn::GetAtt": [
170+
"MyRepoF4F48043",
171+
"Arn"
172+
]
173+
}
174+
},
175+
{
176+
"Action": [
177+
"s3:GetObject*",
178+
"s3:GetBucket*",
179+
"s3:List*"
164180
],
165181
"Effect": "Allow",
166182
"Resource": [
@@ -188,25 +204,9 @@
188204
},
189205
{
190206
"Action": [
191-
"codecommit:GetBranch",
192-
"codecommit:GetCommit",
193-
"codecommit:UploadArchive",
194-
"codecommit:GetUploadArchiveStatus",
195-
"codecommit:CancelUploadArchive"
196-
],
197-
"Effect": "Allow",
198-
"Resource": {
199-
"Fn::GetAtt": [
200-
"MyRepoF4F48043",
201-
"Arn"
202-
]
203-
}
204-
},
205-
{
206-
"Action": [
207-
"s3:GetObject*",
208-
"s3:GetBucket*",
209-
"s3:List*"
207+
"s3:DeleteObject*",
208+
"s3:PutObject*",
209+
"s3:Abort*"
210210
],
211211
"Effect": "Allow",
212212
"Resource": [
@@ -650,4 +650,4 @@
650650
}
651651
}
652652
}
653-
}
653+
}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json

+7
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,8 @@
284284
},
285285
{
286286
"Action": [
287+
"kms:Decrypt",
288+
"kms:DescribeKey",
287289
"kms:Encrypt",
288290
"kms:ReEncrypt*",
289291
"kms:GenerateDataKey*"
@@ -654,6 +656,9 @@
654656
"Statement": [
655657
{
656658
"Action": [
659+
"s3:GetObject*",
660+
"s3:GetBucket*",
661+
"s3:List*",
657662
"s3:DeleteObject*",
658663
"s3:PutObject*",
659664
"s3:Abort*"
@@ -684,6 +689,8 @@
684689
},
685690
{
686691
"Action": [
692+
"kms:Decrypt",
693+
"kms:DescribeKey",
687694
"kms:Encrypt",
688695
"kms:ReEncrypt*",
689696
"kms:GenerateDataKey*"

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json

+7
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,8 @@
134134
},
135135
{
136136
"Action": [
137+
"kms:Decrypt",
138+
"kms:DescribeKey",
137139
"kms:Encrypt",
138140
"kms:ReEncrypt*",
139141
"kms:GenerateDataKey*"
@@ -419,6 +421,9 @@
419421
"Statement": [
420422
{
421423
"Action": [
424+
"s3:GetObject*",
425+
"s3:GetBucket*",
426+
"s3:List*",
422427
"s3:DeleteObject*",
423428
"s3:PutObject*",
424429
"s3:Abort*"
@@ -449,6 +454,8 @@
449454
},
450455
{
451456
"Action": [
457+
"kms:Decrypt",
458+
"kms:DescribeKey",
452459
"kms:Encrypt",
453460
"kms:ReEncrypt*",
454461
"kms:GenerateDataKey*"

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json

+7
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,8 @@
6262
},
6363
{
6464
"Action": [
65+
"kms:Decrypt",
66+
"kms:DescribeKey",
6567
"kms:Encrypt",
6668
"kms:ReEncrypt*",
6769
"kms:GenerateDataKey*"
@@ -379,6 +381,9 @@
379381
"Statement": [
380382
{
381383
"Action": [
384+
"s3:GetObject*",
385+
"s3:GetBucket*",
386+
"s3:List*",
382387
"s3:DeleteObject*",
383388
"s3:PutObject*",
384389
"s3:Abort*"
@@ -409,6 +414,8 @@
409414
},
410415
{
411416
"Action": [
417+
"kms:Decrypt",
418+
"kms:DescribeKey",
412419
"kms:Encrypt",
413420
"kms:ReEncrypt*",
414421
"kms:GenerateDataKey*"

packages/decdk/test/__snapshots__/synth.test.js.snap

+7
Original file line numberDiff line numberDiff line change
@@ -2026,6 +2026,8 @@ Object {
20262026
},
20272027
Object {
20282028
"Action": Array [
2029+
"kms:Decrypt",
2030+
"kms:DescribeKey",
20292031
"kms:Encrypt",
20302032
"kms:ReEncrypt*",
20312033
"kms:GenerateDataKey*",
@@ -2699,6 +2701,9 @@ Object {
26992701
"Statement": Array [
27002702
Object {
27012703
"Action": Array [
2704+
"s3:GetObject*",
2705+
"s3:GetBucket*",
2706+
"s3:List*",
27022707
"s3:DeleteObject*",
27032708
"s3:PutObject*",
27042709
"s3:Abort*",
@@ -2729,6 +2734,8 @@ Object {
27292734
},
27302735
Object {
27312736
"Action": Array [
2737+
"kms:Decrypt",
2738+
"kms:DescribeKey",
27322739
"kms:Encrypt",
27332740
"kms:ReEncrypt*",
27342741
"kms:GenerateDataKey*",

0 commit comments

Comments
 (0)