Skip to content

[pipelines] PublishAssetsAction uses hard-coded role names #9271

New issue
New issue
Closed
Closed
[pipelines] PublishAssetsAction uses hard-coded role names#9271
Labels
@aws-cdk/pipelinesCDK Pipelines librarybugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
Milestone
[GA] CDK Pipelines
@njlynch

Description

@njlynch
njlynch
opened on Jul 27, 2020

The role(s) created (or used) by PublishAssetsAction currently requests sts:AssumeRole on all asset publishing roles (*-file-publishing-role-* or *-image-publishing-role-*).

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/pipelines/lib/actions/publish-assets-action.ts#L92-L94

While these role names are the default created by the bootstrapping process, it's possible that users may have specified custom publishing roles, in which case the above will not work. The remote role ARNs should actually come from the user app and not be hard coded in the pipelines library. Users are allowed to specify any role ARNs they want for publishing.

Other

See #9243 (comment) for more background.

This is 🐛 Bug Report

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/pipelinesCDK Pipelines librarybugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions