CodePipeline: when providing custom Pipeline Role, cross-region support stacks cannot be deployed

[cprice404]

Describe the bug

When trying to come up with a workaround for the maximum policy size bug mentioned here and elsewhere, I created my own IAM role to explicitly pass in to my Pipelines.

As soon as I did this, the cross-region support stacks for my Pipelines were changed slightly; their KMS KeyPolicy got a new PolicyStatement that looks like this:

            {
              "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:GenerateDataKey*",
                "kms:ReEncrypt*"
              ],
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":iam::123456789012:role/my-new-pipeline-role"
                    ]
                  ]
                }
              },
              "Resource": "*"
            },

The policy now explicitly references the new IAM role that I created for my Pipeline.

However, that role does not exist until the Pipeline stack itself is deployed, and the order of the actions created by CodePipeline attempts to deploy the support stacks first. So the support stacks fail to deploy because this IAM role does not exist yet.

Expected Behavior

Explicitly passing in an IAM role to the constructor of my Pipelines will allow me to avoid the maximum IAM policy size bugs, while still deploying my Pipeline stacks and support stacks.

Current Behavior

The support stacks fail to deploy with Resource handler returned message: "Policy contains a statement with one or more invalid principals. (Service: Kms, Status Code: 400, Request ID: ..., Extended Request ID: null)" (RequestToken: ..., HandlerErrorCode: InvalidRequest), because they reference an IAM role arn that has not been created yet.

Reproduction Steps

Create an IAM role, pass it in to the constructor of a Pipeline object, observe that the support stacks that are generated now explicitly reference the ARN of this IAM role in their KeyPolicy.

Possible Solution

Do not add the Role to the KeyPolicy. It is unnecessary, as the Role is in the same account as the Key, and the KeyPolicy already grants permission to the account:

            {
              "Action": "kms:*",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":iam::123456789012:root"
                    ]
                  ]
                }
              },
              "Resource": "*"
            },

Additional Information/Context

No response

CDK CLI Version

2.19.0

Framework Version

2.19.0

Node.js Version

v16.5.0

OS

Amazon Linux 2

Language

Typescript

Language Version

TypeScript 4.4.2

Other information

No response

[cprice404]

related to #19835

[skinny85]

Thanks for reporting @cprice404. Yes, you're right that we shouldn't add Role to the Resource Policy of the Key in this case.

I wonder what triggers this behavior though! The CodePipeline construct just constructs the Role itself if you don't pass it, so it shouldn't be any different.

Can you show how you create the Role, and how do you pass it to CodePipeline?

Thanks,
Adam

[cprice404]

@skinny85 I'm creating it with code very similar to what I pasted in my comment on the other ticket:

#19835 (comment)

I did have to add this because CFN wasn't waiting for the policy to be created before it started trying to create the pipeline:

      const pipelineCfnResource = pipeline.node.defaultChild as CfnResource;
      pipelineCfnResource.addDependsOn(
        pipelineRolePolicy.node.defaultChild as CfnResource
      );

[skinny85]

That might be a different bug in the Pipeline construct...

What's childPipelinePolicy?

[cprice404]

That might be a different bug in the Pipeline construct...

What's childPipelinePolicy?

Sorry, edited it to match the code from the snippet on the other ticket. It's just the policy that I build up with the s3/kms/assumerole permissions, which I had to do because the auto-generated policy exceeds the max IAM policy size.

[cprice404]

So basically it's this:

  // We need to create a policy statement that grants access to the
  // KMS key that CDK generated for accessing the pipeline's s3 artifact
  // buckets.  To do this, we will need to know CDK's "uniqueId" for the
  // key, so that we can reference it in the policy.  Here we are calling
  // a vendored copy of their function that creates the unique id, because
  // the function isn't exported in the CDK library.
  const artifactBucketEncryptionKeyCdkUniqueId = makeUniqueId([
    `pipeline-${pipelineName}`,
    'ArtifactsBucketEncryptionKey',
    'Resource',
  ]);

  const pipelineRolePolicyName = `pipelinepolicy-${pipelineName}`;
  const pipelineRolePolicy = new iam.Policy(
    scope,
    pipelineRolePolicyName,
    {
      policyName: pipelineRolePolicyName,
      // These policy statements were built up by hand after examining the
      // statements in the CDK-generated policy for several pipelines.
      statements: [
        // Grants the pipeline access to the s3 artifact buckets.
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            's3:Abort*',
            's3:DeleteObject*',
            's3:GetBucket*',
            's3:GetObject*',
            's3:List*',
            's3:PutObject',
            's3:PutObjectLegalHold',
            's3:PutObjectRetention',
            's3:PutObjectTagging',
            's3:PutObjectVersionTagging',
          ],
          resources: [`arn:aws:s3:::${pipelineName}-pipeline*`],
        }),
        // Grants the pipeline access to the KMS key that is used for the s3 artifact buckets.
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            'kms:Decrypt',
            'kms:DescribeKey',
            'kms:Encrypt',
            'kms:GenerateDataKey*',
            'kms:ReEncrypt*',
          ],
          resources: [
            Fn.getAtt(artifactBucketEncryptionKeyCdkUniqueId, 'Arn').toString(),
          ],
        }),
        // Grants the pipeline AssumeRole permissions into the various CDK-generated roles, for
        // cross-account / cross-region deploys etc.
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: ['sts:AssumeRole'],
          resources: targetAccounts.map(targetAccount => {
            // Here we are granting permissions to assume some roles that are generated by CDK
            // for use in pipelines.  We need to wild-card them so that the policy doesn't get
            // too large for IAM.  The roles will begin with a string like `cacheadmin-pipeline`,
            // unless the name of the pipeline is too long; CDK will truncate the prefix portion
            // after 25 chars, and the suffix varies per role, so we just use the first 25 chars.
            const pipelineRoleNamePrefix = `${pipelineName}-pipeline`.substr(
              0,
              25
            );
            return `arn:aws:iam::${targetAccount}:role/${pipelineRoleNamePrefix}*`;
          }),
        }),
      ],
    }
  );

  const pipelineRoleName = `pipelinerole-${pipelineName}`;
  const pipelineRole = new iam.Role(scope, pipelineRoleName, {
    roleName: pipelineRoleName,
    assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com'),
  });
  pipelineRolePolicy.attachToRole(pipelineRole);

      
      const pipeline = new codepipeline.Pipeline(
        this,
        `pipeline-foo`,
        {
          pipelineName: 'foo',
          crossAccountKeys: true,
      
          // passing the role via `withoutPolicyUpdates` prevents CDK from trying to manually manage the policy.  See:
          role: pipelineRole.withoutPolicyUpdates()
        }
      );

      const pipelineCfnResource = pipeline.node.defaultChild as CfnResource;
      pipelineCfnResource.addDependsOn(
        pipelineRolePolicy.node.defaultChild as CfnResource
      );

[skinny85]

OK, thanks.

Can you explain more about your Pipeline? What makes it cross-region? Is it also cross-account at the same time?

[skinny85]

Also, pipelineRolePolicy is a Policy in your code, but you pass it as the role property...?