Skip to content

Commit

Permalink
fix(pipelines): CodeBuild Action role can be assumed by too many iden…
Browse files Browse the repository at this point in the history 
…tities (#25316)

CDK Pipelines creates a single Role which has permissions to start all
CodeBuild jobs. The AssumeRolePolicy for this Role contained a mistake,
which allowed all roles in the same account with appropriate
`sts:AssumeRole` permissions to assume the Role.

Fix this by limiting the AssumeRolePolicy to the actual pipeline's
execution role, which we have so we can reference directly.
  • Loading branch information
@rix0rrr
rix0rrr authored Apr 26, 2023
1 parent 0e9440b commit 90cb79f
Show file tree
Hide file tree
Showing 45 changed files with 197 additions and 474 deletions.
4 changes: 2 additions & 2 deletions ...lines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/PipelineStack.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"files": {
"1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9": {
"89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995": {
"source": {
"path": "PipelineStack.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9.json",
"objectKey": "89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
21 changes: 3 additions & 18 deletions ...nes/test/integ.newpipeline-with-codebuild-logging.js.snapshot/PipelineStack.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2142,27 +2142,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion ...eg/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
21 changes: 3 additions & 18 deletions ...-integ/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2701,27 +2701,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...ines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/PipelineStack.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"files": {
"5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e": {
"d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119": {
"source": {
"path": "PipelineStack.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e.json",
"objectKey": "d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
21 changes: 3 additions & 18 deletions ...es/test/integ.newpipeline-with-cross-account-keys.js.snapshot/PipelineStack.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2202,27 +2202,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion ...g/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
21 changes: 3 additions & 18 deletions ...integ/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2777,27 +2777,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...wpipeline-with-file-system-locations.js.snapshot/PipelinesFileSystemLocations.assets.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@
}
}
},
"f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3": {
"4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a": {
"source": {
"path": "PipelinesFileSystemLocations.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3.json",
"objectKey": "4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
21 changes: 3 additions & 18 deletions ...ipeline-with-file-system-locations.js.snapshot/PipelinesFileSystemLocations.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1440,27 +1440,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion ...est/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
21 changes: 3 additions & 18 deletions ...eg/test/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2085,27 +2085,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...nteg/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/PipelineStack.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"files": {
"dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906": {
"0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818": {
"source": {
"path": "PipelineStack.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906.json",
"objectKey": "0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
21 changes: 3 additions & 18 deletions ...eg/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/PipelineStack.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1273,27 +1273,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
2 changes: 1 addition & 1 deletion .../framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/manifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
21 changes: 3 additions & 18 deletions ...ting/framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/tree.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1899,27 +1899,12 @@
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:ViaAWSService": "codepipeline.amazonaws.com"
}
},
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
"Fn::GetAtt": [
"PipelineRoleB27FAA37",
"Arn"
]
}
}
Expand Down
4 changes: 2 additions & 2 deletions ...amework-integ/test/pipelines/test/integ.newpipeline.js.snapshot/PipelineStack.assets.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"version": "31.0.0",
"files": {
"bb6adc0f7fd12a7b804a73ec5f746450c3851c82569c4ab7a6e604d6778df985": {
"09becddcd85b905c424bc20286f676d6139b48124032aa86dd8848e147317752": {
"source": {
"path": "PipelineStack.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "bb6adc0f7fd12a7b804a73ec5f746450c3851c82569c4ab7a6e604d6778df985.json",
"objectKey": "09becddcd85b905c424bc20286f676d6139b48124032aa86dd8848e147317752.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
Loading

0 comments on commit 90cb79f

Please sign in to comment.