Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(codebuild): project didn't have permissions to retrieve secret of…
… image with credentials (#8845)

For build images that used credentials,
the role of the project wasn't granted permissions to read the secret from SecretsManager,
which meant the build would always fail executing in the 'Provisioning' phase.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
skinny85 committed Jul 2, 2020
1 parent f1b37ef commit 4326f24
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 1 deletion.
3 changes: 3 additions & 0 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
Expand Up @@ -940,6 +940,9 @@ export class Project extends ProjectBase {
this.buildImage.repository.addToResourcePolicy(statement);
}
}
if (imagePullPrincipalType === ImagePullPrincipalType.SERVICE_ROLE) {
this.buildImage.secretsManagerCredentials?.grantRead(this);
}

return {
type: this.buildImage.type,
Expand Down
Expand Up @@ -22,6 +22,29 @@
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:secretsmanager:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":secret:my-secrets-123456"
]
]
}
},
{
"Action": [
"logs:CreateLogGroup",
Expand Down Expand Up @@ -135,4 +158,4 @@
}
}
}
}
}

0 comments on commit 4326f24

Please sign in to comment.