Search code examples
amazon-web-servicesaws-cloudformationaws-codepipelineaws-iam-policy

Why does CodePipeline service role need iam:PassRole?


I was reading the AWS documentation explaining how to create the CodePipeline service role. However, I don't understand why it needs the following statement:

{
  "Effect": "Allow",
  "Action": [
     "iam:PassRole"
   ],
   "Resource": "*"
}

inside the RolePolicy.json file.

I am not asking for an explanation of what iam:PassRole is and why and when we use it in general. I understand that it allows a principal to pass a role to another service. However, I'm confused about why we need it particularly inside the CodePipeline service. So:

  1. What is the principal, what is/are role(s), and what is/are service(s) in this case?
  2. Isn't it insecure to use "Resource": "*"?

Solution

  • Suppose you are building a CodePipeline to deploy a CloudFormation stack that consists of an RDS database.

    When setting up the CloudFormation deploy action in CodePipeline, you need to specify a role that CloudFormation can use to perform the deployment (granting permissions such as rds:CreateDBInstance). This role (resource) will be passed from CodePipeline (principal) to CloudFormation (service) when the action is called. When you navifǵate to the CloudFormation console, you will find the same role ARN in your stack info.

    Another example would be the deploy action for ECS, where CodePipeline passes the task execution role for new task definitions.

    You are correct that using Resource": "*" in an IAM policy is too broad. The role provided in the AWS documentation is permissive to cover a wide range of cases and can often be scoped down. For example:

    • The iam:PassRole permission can be restricted to only the role that the pipeline is designed to pass

    • A condition can be added to allow the role to be passed only to specific services (CloudFormation in this case):

        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::000000000000:role/your-cloudformation-deployment-role",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        }