CodePipeline lambda action does not have access to artifact bucket #3274
Labels
needs-triage
This issue or PR still needs to be triaged.
Comments
jellevandenhooff
added
the
needs-triage
|
Thanks for opening the issue @jellevandenhooff . The reason a Lambda function invoked in a CodePipeline does not need permissions to the artifact Bucket is that it gets a signed URL to the artifacts in the body of the event it receives. That link should be used to read and write the artifacts, not the Lambda Role permissions. Hope this helps! Thanks, |
|
There’s no signed URL in the event as far as I can tell (using the go
lambda sdk event struct). There’s temporary access keys — did you mean
those? I am using those keys, but they didn’t work until I set the action’s
role to be the pipeline’s role.
…On Wed, Jul 10, 2019 at 16:53 Adam Ruka ***@***.***> wrote:
Thanks for opening the issue @jellevandenhooff
<https://github.com/jellevandenhooff> . The reason a Lambda function
invoked in a CodePipeline does not need permissions to the artifact Bucket
is that it gets a signed URL to the artifacts in the body of the event it
receives. That link should be used to read and write the artifacts, not the
Lambda Role permissions.
Hope this helps!
Thanks,
Adam
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3274>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACIGLGDGSG2JCKFAOPE5KDP6ZY7XANCNFSM4IACX4VQ>
.
|
{
"CodePipeline.job": {
"id": "11111111-abcd-1111-abcd-111111abcdef",
"accountId": "111111111111",
"data": {
"actionConfiguration": {
"configuration": {
"FunctionName": "MyLambdaFunctionForAWSCodePipeline",
"UserParameters": "some-input-such-as-a-URL"
}
},
"inputArtifacts": [
{
"location": {
"s3Location": {
"bucketName": "the name of the bucket configured as the pipeline artifact store in Amazon S3, for example codepipeline-us-east-2-1234567890",
"objectKey": "the name of the application, for example CodePipelineDemoApplication.zip"
},
"type": "S3"
},
"revision": null,
"name": "ArtifactName"
}
],
"outputArtifacts": [],
"artifactCredentials": {
"secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"sessionToken": "sessionToken",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE"
},
"continuationToken": "A continuation token if continuing job",
"encryptionKey": {
"id": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"type": "KMS"
}
}
}
}The |
|
Ah, yes, that is the field I am using in my code.
With the default generated permissions, using the artifactCredentials gives
an AccessDenied error. Calling `aws sts get-caller-identity` with those
credentials gave me the role associated with the step, and the permissions
for that role were only to invoke the lambda. Adding permissions to access
the bucket makes things work, but that doesn't happen automatically. Does
that make sense?
…On Wed, Jul 10, 2019 at 5:20 PM Adam Ruka ***@***.***> wrote:
I meant these:
https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-invoke-lambda-function.html#actions-invoke-lambda-function-json-event-example
{
"CodePipeline.job": {
"id": "11111111-abcd-1111-abcd-111111abcdef",
"accountId": "111111111111",
"data": {
"actionConfiguration": {
"configuration": {
"FunctionName": "MyLambdaFunctionForAWSCodePipeline",
"UserParameters": "some-input-such-as-a-URL"
}
},
"inputArtifacts": [
{
"location": {
"s3Location": {
"bucketName": "the name of the bucket configured as the pipeline artifact store in Amazon S3, for example codepipeline-us-east-2-1234567890",
"objectKey": "the name of the application, for example CodePipelineDemoApplication.zip"
},
"type": "S3"
},
"revision": null,
"name": "ArtifactName"
}
],
"outputArtifacts": [],
"artifactCredentials": {
"secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"sessionToken": "sessionToken",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE"
},
"continuationToken": "A continuation token if continuing job",
"encryptionKey": {
"id": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"type": "KMS"
}
}
}
}
The artifactCredentials field above.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3274>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACIGLELTAI5R6XQGEQXWYTP6Z4DDANCNFSM4IACX4VQ>
.
|
|
Let me try to reproduce this locally @jellevandenhooff . I'll report back. |
|
You were correct @jellevandenhooff . Apologies you ran into this. I'll have a PR out with a fix today. |
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Jul 12, 2019
…rmissions to the artifact Bucket. Fixes aws#3274
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Jul 12, 2019
…rmissions to the artifact Bucket. Fixes aws#3274
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Jul 12, 2019
…rmissions to the artifact Bucket. Fixes aws#3274
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Jul 13, 2019
…rmissions to the artifact Bucket. Fixes aws#3274
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Jul 15, 2019
…cket The Lambda invoke action was missing granting permissions to the artifact bucket, which meant attempts to use the credentials passed to it in the event resulted in an "access denied" when attempting to read and/or write the action pipeline artifacts. The fix is to grant the action role permissions to the artifact bucket (read-write if the action has any outputs, just read if the action has only inputs). Fixes aws#3274
skinny85
added a commit
that referenced
this issue
Jul 16, 2019
…eline bucket (#3303) The Lambda invoke action was missing granting permissions to the artifact bucket, which meant attempts to use the credentials passed to it in the event resulted in an "access denied" when trying to read and/or write the action pipeline artifacts. The fix is to grant the action role permissions to the artifact bucket (write if the action has any outputs, read if the action has any inputs). Fixes #3274
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.
I'm submitting a ...
What is the current behavior?
If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
Create a codepipeline pipeline and action that invokes lambda. Use the codepipeline artifact credentials in the lambda function to access the input artifact. This fails with a permission error.
Some related code:
What is the expected behavior (or behavior of feature suggested)?
It works. Changing the role on the action to be pipeline.role fixes it.
What is the motivation / use case for changing the behavior or adding this feature?
Please tell us about your environment:
The text was updated successfully, but these errors were encountered: