I have AWS Code Pipeline for CI/CD for my application. I am using 2 AWS accounts. Account-1 is for my repositories and pipelines and account-2 is where all the Infra/servers are.
So this is Deploy stage of my pipeline where deploymentGroup is created in account-2 and assigned as object props.ec2DeploymentGroup
{
stageName: "deploy-to-" + props.targetEnvName,
actions: [
new codepipeline_actions.CodeDeployServerDeployAction({
actionName: "deploy-to-"+props.targetEnvName+"-"+ props.applicationName + "-ec2",
input: appBuildOutput,
deploymentGroup: props.ec2DeploymentGroup
})
]
}
Now when my deploy stage runs it successfully tries to deploy artifacts to DeploymentGroup/Servers in account-2 but it fails at downloadBundle event with error
Access Denied
And this is because my artifact bucket is in account-1 (because my pipeline is in account-1) and deployment group in account-2 don't have access to this artifact bucket in account-1.
I tried to do something like this but not sure how to get role of props.ec2DeploymentGroup to pass it here.
pipeline.artifactBucket.grantRead(whatObjectToPassHere)
So how should I give cross account access to artifact bucket using AWS CDK?
So I found the solution to my problem (I had help from AWS support) my EC2 instance profile didn't have access to my artifact bucket in another account.
Which I managed in CDK using below code
const ec2InstanceProfileRole = iam.Role.fromRoleArn(this, 'Role',
'arn:aws:iam::'+props.targetAccountId+':role/'+props.ec2InstanceProfileName,
{
mutable: false,
});
pipeline.artifactBucket.grantRead(ec2InstanceProfileRole);