feat(pipelines): add assumeRole parameter to CodeBuildStep#38285
feat(pipelines): add assumeRole parameter to CodeBuildStep#38285umbertocicciaa wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Features must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
✅ A exemption request has been requested. Please wait for a maintainer's review.
Require an exception (or am i missing something?) |
Issue # (if applicable)
Closes #18272
Ai Usage
Reason for this change
pipelines.CodeBuildStephas no built-in way to run its commands under a different IAM role. This matters for cross-account deployment pipelines, where the CodeBuild project's own role can't reach resources in the deployed (target) account, e.g. invoking a Lambda function to run a DB migration, or seeding Cognito users for integration tests. Users currently have to hand-roll this withaws sts assume-rolecalls insidecommands, wiring up the trust policy andsts:AssumeRolepermission themselves each time.Description of changes
Added an
assumeRole?: iam.IRoleproperty toCodeBuildStepProps/CodeBuildStep. When set:sts:AssumeRoleon the given role (assumeRole.grant(project.grantPrincipal, 'sts:AssumeRole')).installphase, before any user-suppliedinstallCommands, which configure a named AWS CLI profile (cdk-assume-role) pointed at the role and export it as the active profile:This means all of
commands(and any commands after it in the same build) run underassumeRolewithout the user needing to write any of this themselves.This follows the exact workaround proposed in the issue, and reuses two patterns already present in the codebase rather than inventing new ones:
role/actionRoleplumbing already threaded fromCodeBuildStep→CodeBuildFactoryProps→CodeBuildFactory.produceActionis extended the same way forassumeRole.sts:AssumeRoleon an optional role" idiom already used indocker-credentials.ts(grantee.grantPrincipal.addToPrincipalPolicy(...)) is reused viaIRole.grant().Files changed:
packages/aws-cdk-lib/pipelines/lib/codepipeline/codebuild-step.tsnewassumeRoleprop.packages/aws-cdk-lib/pipelines/lib/codepipeline/private/codebuild-factory.tsnewassumeRoleonCodeBuildFactoryProps, threaded throughfromCodeBuildStep, grant + buildspec command injection inproduceAction.packages/aws-cdk-lib/pipelines/test/codepipeline/codebuild-step.test.tsnew unit test.Describe any new or updated permissions being added
When
assumeRoleis set, the CodeBuild project's execution role is granted:{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<assumeRole ARN>" }No other permissions are added, and nothing changes for callers who don't set
assumeRole(opt-in, defaultundefined).Description of how you validated changes
assumeRole grants sts:AssumeRole and injects profile commands) incodebuild-step.test.ts, following the existing style of the neighboringrole passed it used for project and code build actiontest. It asserts:AWS::IAM::Policystatement grantingsts:AssumeRoleon the target role's ARN is attached to the CodeBuild project's role.AWS::CodeBuild::Projectbuildspec'sinstallphase contains theaws configure/export AWS_PROFILEcommands.pipelinesunit test suite locally:yarn test pipelines→ 211/212 passing (all passing, including the new test), no regressions in the other 21 test suites.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license