Skip to content

Commit

Permalink
fix(codepipeline): grant the CodeCommit source Action read-write perm…
Browse files Browse the repository at this point in the history 
…issions to the Pipeline's Bucket. (#3175)

Fixes #3170
  • Loading branch information
@skinny85
skinny85 authored and Elad Ben-Israel committed Jul 3, 2019
1 parent e36a8b7 commit bd46e49
Show file tree
Hide file tree
Showing 8 changed files with 75 additions and 26 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ export class CodeCommitSourceAction extends Action {

// the Action will write the contents of the Git repository to the Bucket,
// so its Role needs write permissions to the Pipeline Bucket
options.bucket.grantWrite(options.role);
options.bucket.grantReadWrite(options.role);

// https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp
options.role.addToPolicy(new iam.PolicyStatement({
Expand Down
9 changes: 8 additions & 1 deletion ...ges/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -448,6 +450,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -478,6 +483,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -814,4 +821,4 @@
}
}
}
}
}
16 changes: 15 additions & 1 deletion ...ws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand All @@ -79,6 +81,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -567,6 +571,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -597,6 +604,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -675,6 +684,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -705,6 +717,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -1610,4 +1624,4 @@
}
}
}
}
}
46 changes: 23 additions & 23 deletions ...codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,9 +158,25 @@
},
{
"Action": [
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyRepoF4F48043",
"Arn"
]
}
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
Expand Down Expand Up @@ -188,25 +204,9 @@
},
{
"Action": [
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyRepoF4F48043",
"Arn"
]
}
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
Expand Down Expand Up @@ -650,4 +650,4 @@
}
}
}
}
}
7 changes: 7 additions & 0 deletions ...ges/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -654,6 +656,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -684,6 +689,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down
7 changes: 7 additions & 0 deletions packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -419,6 +421,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -449,6 +454,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down
7 changes: 7 additions & 0 deletions packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down Expand Up @@ -379,6 +381,9 @@
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
Expand Down Expand Up @@ -409,6 +414,8 @@
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
Expand Down
7 changes: 7 additions & 0 deletions packages/decdk/test/__snapshots__/synth.test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2026,6 +2026,8 @@ Object {
},
Object {
"Action": Array [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
Expand Down Expand Up @@ -2699,6 +2701,9 @@ Object {
"Statement": Array [
Object {
"Action": Array [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*",
Expand Down Expand Up @@ -2729,6 +2734,8 @@ Object {
},
Object {
"Action": Array [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
Expand Down

0 comments on commit bd46e49

Please sign in to comment.