I'm currently trying to set an SSM Parameter Store value via a CodeBuildAction. My first attempt resulted in a 254 return code, which I'm guessing is because the request was not authorized. I then attempted to attach a managed policy to the role associated with the CodeBuildAction, but the cdk deploy failed with:
Policy arn:aws:iam::aws:policy/AWSServiceRoleForAmazonSSM does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 2f65f8db-64a5-4173-ac45-de4c56bffa44; Proxy: nu
ll)
Here is the role setup:
this.codeBuildRole = new Role(this, "application-build-project-role", {
assumedBy: new ServicePrincipal("codebuild.amazonaws.com"),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName(
"AmazonEC2ContainerRegistryPowerUser"
),
ManagedPolicy.fromAwsManagedPolicyName("AWSServiceRoleForAmazonSSM"), // THIS IS THE NEW PART
],
});
I understand that this means that I'm using the wrong policy, but I'm struggling to find an alternative.
Is there a managed policy that will work here? If not, how would I set up an inline policy to achieve what I'm trying to do?
The idiomatic way to solve this is to use CDK's abstractions to modify the role instead of creating your own.
Here's what it would look like, assuming you want to update a specific parameter. You'd do this for every parameter you have.
mySsmParameter.grantWrite(myCodeBuildAction.actionProperties.role);
Alternatively, you can grant the access to the action's project:
mySsmParameter.grantWrite(myCodeBuildProject);
And that's it, CDK will take care of the needed statements under the hood.