AWS Codepipeline with a Codecommit targetsource repository from another account

Question

Is it possible to create a codepipeline that has a target source of a CodeCommit Repository in another account?

Answer 1

You can deploy resources using pipeline with codecommit repository in another account.

Let's say you have Account A where your codecommit repository sits, and Account B where you codepipeline sits.

Configure the following in account B:

1. You would need to create custom KMS key because AWS Default Key does not have an associated Key policy. You can use Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account if you need assistance with creating CMK. Add the Codepipeline service role to the KMS Key Policy to allow the codepipeline to use it.

2. Event bus for receiving events from cross account Go to CloudWatch → Event Buses under Events section → Add Permission → Enter DEV AWS Account Id → Add. For more details, check Creating an Event Bus

3. Add the following Policy to S3 pipeline Artifact store:

    { 
     “Version”: “2012–10–17”, 
     “Id”: “PolicyForKMSAccess”, 
     “Statement”: [ 
         { “Sid”: “AllowAccessFromAAccount”, 
           “Effect”: “Allow”, 
            “Principal”: { “AWS”: “arn:aws:iam::ACCOUNT_A_ID:root” }, 
            “Action”: [ “s3:Get*”, “s3:Put*”, "s3:ListBucket ], 
            “Resource”: “arn:aws:s3:::NAME-OF-THE-BUCKET/*” } 
          ] 
       }
   

4. Edit the Pipeline IAM rols to assume role to Account A as follows:

       { 
          “Version”:“2012–10–17”,
          “Statement”:{ 
             “Effect”:“Allow”,
             “Action”:“sts:AssumeRole”,
             “Resource”:[ 
                “arn:aws:iam::ACCOUNT_A_ID:role/*
             ]
          }
       }
   

5. Create a CloudWatch Event Rule to trigger the pipeline on master branch of the CodeCommit in account A. Add CodePipeline's ARN as a target of this rule.

Now, do the following in Account A:

Create a cross account IAM role with 3 policies. a) AWSCodeCommitFullAccess

b) Inline Policy to assume role to Account B as follows:

    { 
       “Version”:“2012–10–17”,
       “Statement”:[ 
          { 
             “Effect”:“Allow”,
             “Principal”:{ 
                “AWS”:“arn:aws:iam::ACCOUNT_B_ID:root”
             },
             “Action”:“sts:AssumeRole”
          }
       ]
    }

c)Inline policy for KMS, CodeCommit and S3 access:

    { 
       “Version”:“2012–10–17”,
       “Statement”:[ 
          { 
             “Effect”:“Allow”,
             “Action”:[ 
                “s3:Get*”,
                “s3:Put*”,
                “codecommit:*”
             ],
             “Resource”:[ 
                “arn:aws:s3:::YOUR_BUCKET_NAME_IN_B_FOR_CODE_PIPELINE_ARTIFACTS/”
             ]
          },
          { 
             “Effect”:“Allow”,
             “Action”:[ 
                “kms:*" ], 
                “Resource”: [ “arn:aws:kms:YOUR_KMS_ARN_FROM_B_ACCOUNT” ] } ] }

2. Update your pipeline as @Eran Medan suggested.

For more details, please visit AWS CodePipeline with a Cross-Account CodeCommit Repository

Also, please note that I have given a lot more permissions than required for example codecommit:* and kms:*, you can alter them as per your needs.

I hope this will help.

Answer 2

I just had to do this, I'll explain the process.

Account C is the account with your CodeCommit repository. Account P is the account with your CodePipeline... pipelines.

In Account P:

1. Create an AWS KMS Encryption Key and add Account C with having access (guide here in pre-requisite step). You will also need to add the CodePipeline role, and if you have a CodeBuild and CodeDeploy step add those roles too.

2. In your CodePipeline artifacts S3 bucket you need to add Account C access. Go to the Bucket Policy and add:

{
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTC_ID:root"
    },
    "Action": [
        "s3:Get*",
        "s3:Put*"
    ],
    "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTC_ID:root"
    },
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}

Change ACCOUNTC_ID to the account ID of Account C, and change YOUR_BUCKET_NAME to the CodePipeline artifact S3 bucket name.

3. Add a policy to your CodePipeline service role so you can get access to Account C and the CodeCommit repositories:

{
   "Version": "2012-10-17",
   "Statement": {
       "Effect": "Allow",
       "Action": "sts:AssumeRole",
       "Resource": [
           "arn:aws:iam::ACCOUNTC_ID:role/*"
       ]
   }
}

Again, change ACCOUNTC_ID to the account ID of Account C.

In Account C:

1. Create an IAM Policy that lets Account P to access the CodeCommit resources and also the KMS key so it can encrypt them with the same key as the rest of your CodePipeline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "codecommit:ListBranches",
                "codecommit:ListRepositories"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:YOUR_KMS_ARN"
            ]
        }
    ]
}

Replace bucket name and KMS ARN in the above policy. Save the policy as something like CrossAccountPipelinePolicy.

2. Create a role for cross account access and attach the above policy as well as the AWSCodeCommitFullAccess policy. Make sure to make the Trusted entity as the account ID of Account P.

In AWS CLI You can't do this bit in the console so you have to use the AWS CLI. This will be to get your CodePipeline in AccountP to assume the role in the Source step and dump it in the S3 bucket for all your next steps to use.

aws codepipeline get-pipeline --name NameOfPipeline > pipeline.json

Modify the pipeline json so it looks a bit like this and replace the bits that you need to:

"pipeline": {
        "name": "YOUR_PIPELINE_NAME",
        "roleArn": "arn:aws:iam::AccountP_ID:role/ROLE_NAME_FOR_CODE_PIPELINE",
        "artifactStore": {
            "type": "S3",
            "location": "YOUR_BUCKET_NAME",
            "encryptionKey": {
              "id": "arn:aws:kms:YOUR_KMS_KEY_ARN",
              "type": "KMS"
            }
        },
        "stages": [
            {
                "name": "Source",
                "actions": [
                    {
                        "name": "Source",
                        "actionTypeId": {
                            "category": "Source",
                            "owner": "AWS",
                            "provider": "CodeCommit",
                            "version": "1"
                        },
                        "runOrder": 1,
                        "roleArn": "arn:aws:iam::AccountC_ID:role/ROLE_NAME_WITH_CROSS_ACCOUNT_POLICY",
                        "configuration": {
                            "BranchName": "master",
                            "PollForSourceChanges": "false",
                            "RepositoryName": "YOURREPOSITORYNAME"
                        },
                        "outputArtifacts": [
                            {
                                "name": "MyApp"
                            }
                        ],
                        "inputArtifacts": []
                    }
                ]
            },

Update the pipeline with aws codepipeline update-pipeline --cli-input-json file://pipeline.json

Verify it works by running the pipeline.

Answer 3

Yes, it should be possible. Follow these instructions: http://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html