CodeCommitSourceAction tries to add a policy to an imported role #3025
Description
In an attempt to build a cross account codepipeline, I have used CodeCommitSourceAction as follows:
// Tools account
const actionProps: any = {};
// Since `CodeCommitSourceAction` doesn't accept a role (in TypeScript) even though the
// abstract `Action` does, have to pass the role via an object of `any` type.
actionProps.role = Role.fromRoleArn(this, 'code-commit-role', codeCommitRoleArn);
const sourceAction = new CodeCommitSourceAction({
actionName: 'CodeCommit',
repository: codeCommitRepository,
output: sourceOutput,
...actionProps
});
When using Role.fromRoleArn I assume that the role exists, potentially in a different account (it is in a different Dev account). However CodeCommitSourceAction tries to create a policy for it according to its source code https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts#L95-L105 which results in the following resource in the template:
codecommitrolePolicyC2DD4708:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- codecommit:GetBranch
- codecommit:GetCommit
- codecommit:UploadArchive
- codecommit:GetUploadArchiveStatus
- codecommit:CancelUploadArchive
Effect: Allow
Resource: arn:aws:codecommit:us-west-2:123456789012:repository
Version: "2012-10-17"
PolicyName: codecommitrolePolicyC2DD4708
Roles:
- ToolsAcctCodePipelineCodeCommitRole
Metadata:
aws:cdk:path: ToolsCodePipelineStack/code-commit-role/Policy/Resource
This fails because ToolsAcctCodePipelineCodeCommitRole, obviously, doesn't exist in this Tools account. It is in the Dev account.
I think CodeCommitSourceAction should be able to distinguish if the role is imported or not and add only if the role is auto created by the same account.