I am attempting to follow this example of setting up an AWS Pipeline for use across multiple accounts. I have the four different accounts set up. I've followed through on each step of the process successfully. No commands are generating any errors. The pipeline completes successfully. I can then connect to the pipeline and commit my code changes. In short, every single step up to the final one works as written in the documentation.
However, I'm then presented with an error on the initial trigger of the code commit:
Insufficient permissions The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named dbmigration. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::12345678912:assumed-role/my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 is not authorized to perform: codecommit:UploadArchive on resource: arn:aws:codecommit:us-east-2:123456789:dbmigration
The AWS Account I used to create the pipeline is not the root account, but an IAM Administrator login with admin privileges across the account. I've tried adding AWSCodeCommitFullAccess and AWSCodePipelineFullAccess, which I would have thought would have been part of Administration anyway. However, that didn't change anything.
My assumption is I've done something horribly wrong, but I'm not able to identify what that is. Any suggestions for better troubleshooting, let alone suggestions on how to fix it would be most welcome.
The code used to create the pipeline, again, run using the IAM login, Administrator, from a fourth AWS account, is as follows:
aws cloudformation deploy --stack-name my-pipeline `
--template-file db-migration-master.yml `
--parameter-overrides ProjectName=dbmigration `
[email protected] `
DevAccountId=98765432123 `
TestAccountId=123456789012 `
ProdAccountID=210987654321 --capabilities CAPABILITY_NAMED_IAM
All the templates are from the linked article and not modified or customized.
Based on the comments.
The error message indicated that the role my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 was missing permission codecommit:UploadArchive which:
Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline
The solution was to add the codecommit:UploadArchive to the role as an inline policy.