(CdkPipeline): CdkPipeline source stage fails in a cross account setup

[ganeshnj]

CDKPipeline fails to clone repository that exists in a different AWS Account.

Reproduction Steps

Sample: https://github.com/ganeshnj/cdk-pipeline-cross-account-sample

1. synth & deploy

npx cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://{pipeline-account-id}/us-west-2
npx cdk bootstrap --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess --trust {pipeline-account-id} aws://{source-account-id}/us-west-2 --profile source
cdk synth
cdk deploy --all

2. Branch not found issue

The action failed because no branch named main was found in the selected AWS CodeCommit repository MyRepository. Make sure you are using the correct branch name, and then try again. Error: null

3. Go to the source AWS account and create a main branch.

4. Try again source stage.

5. Permissions issue

The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named {bucket-name}. Update the IAM role permissions, and then try again. Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: {Request ID}; S3 Extended Request ID: {Extended Request ID}; Proxy: null)

What did you expect to happen?

Source stage should succeed

What actually happened?

Source stage failed with permission error.

Environment

• CDK CLI Version : 1.98.0 (build 79f4512)
• Framework Version:
• Node.js Version: v12.18.4
• OS : Windows 10
• Language (Version): C#

Other

---

This is 🐛 Bug Report

[skinny85]

Hey @ganeshnj ,

thanks for opening the issue. I'm trying to reproduce it right now.

Before I do, I'm wondering whether the problem might be that you're creating a completely new CodeCommit repository here, and it's empty.

Can you try pushing some commits to the repository, and see if that changes anything?

Thanks,
Adam

[ganeshnj]

Repo with commits on main branch also has the same behavior.

I kept the example simple so that during reproduction minimum manual steps are required.

[skinny85]

OK, I've managed to reproduce the error in my own setup. Digging in to what's causing it.

[skinny85]

OK. The problem seems to be the "@aws-cdk/aws-s3:grantWriteWithoutAcl": true line in cdk.json. If you switch it to "@aws-cdk/aws-s3:grantWriteWithoutAcl": false, and then re-deploy all Stacks (cdk deploy \*), the Action succeeds again.

@ganeshnj can you let me know if it fixes it for you?

Looks like the CodeCommit source Action needs those permissions in the cross-account case. I'll prepare a PR adding them back in.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[ganeshnj]

Apologies, I couldn't get in time.

I confirm, "@aws-cdk/aws-s3:grantWriteWithoutAcl": false, fixes the issue.