Cannot assume role by code pipeline on code pipeline action AWS CDK

Question

I have been playing with AWS CDK and was working on building a code pipeline stack on my AWS educate account. The user that I am using has enough permission to access and use the code pipeline. My problem is, AWS CDK generates a role for the code pipeline action whose Principle is ARN of the root account. So it doesn't have the permission to perform assume the role on the root account.

Action code:

 {
  stageName: "Build",
    actions: [
      new codepipelineActions.CodeBuildAction(
        {
          actionName: "Build",
          input: sourceOutput,
          project: builder
        }
      )
    ]
}

Cloudformation Template Output:

"devPipelineBuildCodePipelineActionRole8696D056": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:",
                      {
                        "Ref": "AWS::Partition"
                      },
                      ":iam::",
                      {
                        "Ref": "AWS::AccountId"
                      },
                      ":root"
                    ]
                  ]
                }
              }
            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
      }
    }
...
{
  "Actions": [
    {
      "ActionTypeId": {
        "Category": "Build",
        "Owner": "AWS",
        "Provider": "CodeBuild",
        "Version": "1"
      },
      "Configuration": {
        "ProjectName": {
          "Ref": "BuildAndTestB9A2F419"
        }
      },
      "InputArtifacts": [
        {
          "Name": "SourceOutput"
        }
      ],
      "Name": "Build",
      "RoleArn": {
        "Fn::GetAtt": [
          "devPipelineBuildCodePipelineActionRole8696D056",
          "Arn"
        ]
      },
      "RunOrder": 1
    }
  ],
    "Name": "Build"
}

This will throw the error:

arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)

If I remove the RoleArn from the Action and execute the template it works.

My question is, How do I prevent CDK to prevent adding default role with Principle using the root account or a work around to it?

Answer 1

Subesh's code works in removing RoleArn. But in my AWS env, RoleArn is still required. I am trying to replaced it with an existing role, but it still only removes RoleArn. What is wrong with my code?

    pipelineCfn.addDeletionOverride("Properties.Stages.1.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.2.Actions.0.RoleArn");
    pipelineCfn.addPropertyOverride(
      "Properties.Stages.1.Actions.0.RoleArn",
      pipeline_role_arn
    );
    pipelineCfn.addPropertyOverride(
      "Properties.Stages.2.Actions.0.RoleArn",
      pipeline_role_arn
    );

Answer 2

It looks like actions are not allowed to assume any role in AWS Educate currently. So to have a workaround and remove the manual overhead, use CDK L1 Constructs to modify the generated cloud formation.

The pipeline can be created like:

   // Custom role to pass in to pipeline
    const pipeLineRole = new iam.Role(this, "CodePipeLineRole", {
      assumedBy: new iam.ServicePrincipal("codepipeline.amazonaws.com"),
    });

    pipeLineRole.addToPolicy( 
      // Required policy for each aciton to run
    )
    const pipeline = new codepipeline.Pipeline(this, "Pipeline", {
      role: pipeLineRole,
      stages: [
        //  ...
        {
          actions: [action1, action2],
        },
        //  ...
      ],
    });

    // Altering cloudformation to remove role arn from actions
    const pipelineCfn = pipeline.node.defaultChild as cdk.CfnResource;
    // addDeletionOverride  removes the property from the cloudformation itself
    // Delete action arn for every stage and action created
    pipelineCfn.addDeletionOverride("Properties.Stages.1.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.2.Actions.0.RoleArn");
    pipelineCfn.addDeletionOverride("Properties.Stages.3.Actions.0.RoleArn");

This is a workaround, it works, but there are still unwanted and dangling policies and roles created that have not been assigned to any service which had been created for individual actions.

Answer 3

The following code in pipeline configuration:

"RoleArn": {
        "Fn::GetAtt": [
          "devPipelineBuildCodePipelineActionRole8696D056",
          "Arn"
        ]
      },

... means when CodePipeline service will invoke the "Build" action, it will "assume" the role "devPipelineBuildCodePipelineActionRole8696D056" but this role does not have a trust policy with "codepipeline.amazonaws.com" service hence the error.

The 'RoleArn' property under the action is useful when you have a cross account action (CodeBuild project is in another account) so unless that is the case, it is better to drop this property.

We will need to see the cdk code to answer your question:

How do I prevent CDK to prevent adding default role with Principle using the root account or a work around to it?