New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-cdk/pipelines): allow use of custom role for CodePipeline #18167
Comments
I can't tell if there is any traction on this issue. Just to be clear - I can create the policy and role myself if I need to but it doesn't appear that the role that I'm applying is being used and what seems to be broken or not implemented is the method to not use the role |
This is the PR for this issue: #18293 |
withoutPolicyUpdates()
is passed
I'm not finding that this role is being mutated at all. The role and policy being created are being created because the Where you're passing the role here, it's ending up being used as the CodeBuild::Project service role, and isn't being modified. We offer the option to pass in your own |
withoutPolicyUpdates()
is passed
I think I follow. I'll admit I'm a little rusty on the details of what's going on and it's been a while since I opened this. From what you're saying I take it that there are two roles involved: one for creating the pipeline and one for execution of the pipeline. Is that correct? And it's the execution role that is exceeding the 10K policy size limit not the role that is a property of the When you say that you can pass in your own One last bit, which is this stemmed from attempting to workaround a policy size exception. I understand that inline policies, even if there are multiple per role, are all coalesced into a single inline policy and that combined policy size is limited to 10K. My question is why is there a hard requirement for relying on inline policies? Wouldn't it be possible to create custom/customer managed policies and even multiples of these policies to then assign to whatever role is using them? That should at least allow up to 60K (120K if limit of policies / role is bumped up to 20) worth of policy size minus some policy crease loss. Again, maybe I'm missing something, in fact I'm sure I am. |
The role you're passing into codebuildstep is the ServiceRole which enables CodeBuild to interact with AWS services. This is just limited to CodeBuild. The other role is the role the pipeline itself uses to either perform actions that don't have a role specified for that action, or will assume the role specified for the action Yes, I do mean a fully existing
This will create a CodePipeline with a role that will not be mutated, with no additional policies. All else should be identical I believe. You will then be able to use the For reference, here's where we generate the underlying pipeline aws-cdk/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts Lines 351 to 369 in 83f1668
Of course, it would be easier if you could just directly pass in this role to As for the policy question - I'm not sure personally 😅 I've seen this discussed a while ago on why we don't do managed policies for this problem, but I don't remember the details. |
fixes: #18167, fixes #21412 - adds a new role prop for `pipelines.CodePipeline` to pass on to the generated `codepipeline.Pipeline` - This role will be assumed by the pipeline ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
fixes: aws#18167, fixes aws#21412 - adds a new role prop for `pipelines.CodePipeline` to pass on to the generated `codepipeline.Pipeline` - This role will be assumed by the pipeline ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* cr: https://code.amazon.com/reviews/CR-73598842
fixes: aws#18167, fixes aws#21412 - adds a new role prop for `pipelines.CodePipeline` to pass on to the generated `codepipeline.Pipeline` - This role will be assumed by the pipeline ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
What is the problem?
When creating pipelines.CodePipeline with a synth pipelines.CodeBuild and even passing in role=role.without_policy_updates() parameter to the CodeBuildStep, the resulting Cfn template is generated with a PipelineRoleDefaultPolicy that exceeds the allowable size. According to other issues and to the docs regarding opting out of policy updates the policy is still being updated.
Reproduction Steps
What did you expect to happen?
the passed in role should not be updated
What actually happened?
policy for passed in role is updated to include individual assets for resources. It's also possible that the roles between the CodeBuildStep and the pipelines.CodePipeline are completely separate in which case I would expect that the pipelines.CodePipelines to allow for a role parameter but this does not appear to be the case.
CDK CLI Version
1.137.0
Framework Version
No response
Node.js Version
v14.18.1
OS
Linux/Ubuntu 20.04
Language
Python
Language Version
3.8.10
Other information
No response
The text was updated successfully, but these errors were encountered: