aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

aws-deployment-framework-pipelines pipeline fails to sync code

Open dsudduth opened this issue 4 years ago • 4 comments

Expected Behavior

The aws-deployment-framework-pipelines pipeline should successfully sync from CodeCommit when the Deployment account is bootstrapped for the first time.

Current Behavior

An error is given which indicates that the pipeline does not have permissions to sync from CodeCommit. Appears to be a race condition which is resolved by re-running the project in CodeBuild. This was reproduced and confirmed by StewartW.

The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named aws-deployment-framework-pipelines. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::111111111111:assumed-role/adf-codepipeline-role/xxxxxxxxxxxx is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:us-east-1:111111111111:aws-deployment-framework-pipelines

Steps to Reproduce

Perform a clean installation of ADF. View the aws-deployment-framework-pipelines pipeline in the Deployment account.

dsudduth avatar May 24 '21 05:05 dsudduth

Hey @dsudduth The role already has the GetBranch permission in the CodeCommit statement. I suspect that what's happening here is that there is a race condition where the inline policy hasn't been applied to the role yet. (You sometimes see similar issues when creating and invoking lambdas immediately with CDK as well).

StewartW avatar May 28 '21 11:05 StewartW

@StewartW you're right, I see it in there. Interestingly enough, multiple runs fail until I apply a change to the policy. I'll try to test some additional scenarios when I perform another clean install.

dsudduth avatar May 28 '21 13:05 dsudduth

@StewartW you're right, I see it in there. Interestingly enough, multiple runs fail until I apply a change to the policy. I'll try to test some additional scenarios when I perform another clean install.

I was able to reproduce it on a fresh install on my account, re-running the codebuild project seemed to remedy it for me. Interesting that doesn't seem to be the case for yourself.

StewartW avatar May 28 '21 13:05 StewartW

@StewartW you're right, I see it in there. Interestingly enough, multiple runs fail until I apply a change to the policy. I'll try to test some additional scenarios when I perform another clean install.

I was able to reproduce it on a fresh install on my account, re-running the codebuild project seemed to remedy it for me. Interesting that doesn't seem to be the case for yourself.

Hi @StewartW,

Finally had some time to confirm. Running the project again does clear the error. Keeping the issue open so we can track, but I'll remove the proposed solution. Thanks again for helping to reproduce the issue.

dsudduth avatar Jun 15 '21 05:06 dsudduth

Thank you for your patience. I am happy to inform you that this issue has been resolved in our latest release v3.2.0 just now. I'm hereby closing this issue. Please open a new issue if you are experiencing any issues with the latest release.

sbkok avatar Jan 24 '23 10:01 sbkok