CDK Codepipeline CloudFormationCreateUpdateStackAction getting "S3: Access Denied" only with Nested Stacks

Question

I am trying to set up a CDK Codepipeline for updating the cdk project itself, with the project being under one stack, and having multiple nested stacks in the constructor. The pipeline is in a second stack with the service stack passed in to access the name. I am using CloudFormationCreateUpdateStackAction to update the stack after I have run cdk synth and put the output in an artifact using codebuild.

    pipeline.addStage({
      stageName: 'ServiceUpdate',
      actions: [
        new CloudFormationCreateUpdateStackAction({
          actionName: 'Service_Update',
          stackName: props.serviceStack.stackName,
          templatePath: cdkPipelineBuildOutput.atPath(
            `${props.serviceStack.stackName}.template.json`
          ),
          adminPermissions: true,
        }),
      ],
    });

This is able to update the stack if it is empty, or has some resources directly in it, however if there is a nested stack inside the service stack I get

S3: AccessDenied

for each of the nested stacks inside of the stack.

If I run "cdk deploy ExampleServiceStackName" from my terminal with admin credentials the nested stacks are created/updated correctly, leading me to believe that there is something wrong with the IAM roles of codebuild or codepipeline here. But I don't know where to start as I have set adminPermissions to true in the CloudFormationCreateUpdateStackAction.

I also manually set admin permissions by calling addToDeploymentRolePolicy on the CloudFormationCreateUpdateStackAction, and CodePipeline, passing

    const policy = new PolicyStatement({
      resources: ['*'],
      actions: ['*'],
      effect: Effect.ALLOW,
    });

with no change in the access denied error.

I also make sure to specify "cdk synth --all" in my ci script in an attempt to ensure the nested stacks templates will be synthesized.

Other stack overflow questions I have read:

S3 error: Access Denied when deploying CFN template with Nested Stacks

This Q was related to a typo in the manually written cloud formation template. I have looked in the generated templates, and the nested stack name is correctly generated and referenced by cdk. cdk deploy from local terminal also works, further leading me to believe there is no typo problem. I also pass the service stack as a prop and call the stackName property to avoid a typo in accessing the template.

If you spot a way there could be a problem accessing due to a typo, please let me know as that would still be the best-case scenario.

Codepipeline S3 Bucket access denied in Codebuild

This Q says it was solved by giving permissions to the CMK on the S3 bucket. I have used a code pipeline Artifact for source of the "cdk synth -> cloudformation templates". I'm not aware of any KMS CMK being used in this setup. If there is a way I can specify decryption abilities on the artifact maybe that would help.

If there is a way to get more verbose error messages about the s3: Access Denied status that would also be appreciated. It doesn't even share what s3 bucket is being denied, I'm just having to assume.

Thanks for any suggestions.

Answer 1

Hey I had this same issue and figured out the issue (if you or anyone is still having it).

Basically, when you do a cdk synth with nested stacks, the parent stack, once its synthesized, will have references to S3 objects (usually within the cdk-assets bucket) that contain the child stacks. The problem however, at least with the pipeline is these assets are never uploaded to S3.

This means when the pipeline runs, it gets an s3:AccessDenied error because the child stacks the parent stack references do not exist in that cdk-assets bucket.

The way I got around this is to change my approach and instead of using the CloudFormationCreateUpdateStackAction, I instead use a CodeBuild step that executes CLI commands to deploy the cdk.