Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codebuild): missing permissions for SecretsManager environment variables #12121

Merged
merged 6 commits into from
Dec 22, 2020
Merged

fix(codebuild): missing permissions for SecretsManager environment variables #12121

merged 6 commits into from
Dec 22, 2020

Conversation

skinny85
Copy link
Contributor

When creating a CodeBuild Project that uses environment variables from SecretsManager,
the Project fails execution with:

AccessDeniedException: User: arn:aws:sts::828671620168:assumed-role/role
is not authorized to perform: secretsmanager:GetSecretValue on resource:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-secret-GXyUCE

The solution is to automatically grant the Project's Role permissions to read all
Secrets whose names were provided as environment variables.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@skinny85
fix(codebuild): missing permissions for SecretsManager environment va…
e7c5ad3 
…riables

When creating a CodeBuild Project that uses environment variables from SecretsManager,
the Project fails execution with:

```
AccessDeniedException: User: arn:aws:sts::828671620168:assumed-role/role
is not authorized to perform: secretsmanager:GetSecretValue on resource:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-secret-GXyUCE
```

The solution is to automatically grant the Project's Role permissions to read all
Secrets whose names were provided as environment variables.
@skinny85 skinny85 self-assigned this Dec 17, 2020
@gitpod-io
Copy link

gitpod-io bot commented Dec 17, 2020
edited
Loading

@github-actions github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Dec 17, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 17, 2020
@skinny85 skinny85 mentioned this pull request Dec 18, 2020
Merged
@mergify
Copy link
Contributor

mergify bot commented Dec 18, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@jogold
Copy link
Contributor

jogold commented Dec 21, 2020
edited
Loading

The build of this PR is stuck and is blocking the mergify "queue"

@skinny85 @shivlaks @eladb

see https://github.com/aws/aws-cdk/pull/12123/checks?check_run_id=1588463268

@iliapolo
Copy link
Contributor

Pushed a dummy commit to re-trigger the build since for some reason the CodeBuild job wasn't running causing mergify to be blocked

@mergify
Copy link
Contributor

mergify bot commented Dec 22, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: c1a614b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Dec 22, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 1a13d8f into aws:master Dec 22, 2020
@skinny85 skinny85 deleted the fix/codebuild-secretsmanager-env-vars branch December 23, 2020 21:33
flochaz pushed a commit to flochaz/aws-cdk that referenced this pull request Jan 5, 2021
@skinny85 @flochaz
fix(codebuild): missing permissions for SecretsManager environment va…
ba7b2f3 
…riables (aws#12121)

When creating a CodeBuild Project that uses environment variables from SecretsManager,
the Project fails execution with:

```
AccessDeniedException: User: arn:aws:sts::828671620168:assumed-role/role
is not authorized to perform: secretsmanager:GetSecretValue on resource:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-secret-GXyUCE
```

The solution is to automatically grant the Project's Role permissions to read all
Secrets whose names were provided as environment variables.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iliapolo iliapolo iliapolo left review comments

@shivlaks shivlaks shivlaks approved these changes

Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@skinny85 @jogold @iliapolo @aws-cdk-automation @shivlaks