CodeCommit cross account deploys with CodePipeline

Question

I'm struggling with a glass of water...

I'm trying to implement cross-account deployments. Currently, I have four accounts: DevOps, Dev, Prod, and QA. All the repositories are on the DevOps account, and each CodeBuild execution deploys a new image on an EKS cluster (in Dev/QA/Prod). Currently, the pipeline is executed inside the VPC of the EKS cluster and has access to the EKS cluster's security group. I'm trying to follow this architecture: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/use-aws-codecommit-and-aws-codepipeline-to-deploy-a-ci-cd-pipeline-in-multiple-aws-accounts.html, but the pipeline always fails because it can't find the source repository (which is in the DevOps account) since CodePipeline keeps looking in its same account. I tried placing a CodeCommit ARN (it doesn't have any, but...) in the name field, and with a service role directly from the DevOps account. KMS key on devops account is also configured and im using it on the pipeline.

Sadly, changing to Bitbucket, GitHub, or GitLab is not an option.

Any suggestion?

Answer 1

There are 3 IAM Roles in plays in context of AWS CodePipeline. These IAM Roles dictates cross-account deployment:

1. Pipeline IAM Role https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codepipeline-pipeline.html#cfn-codepipeline-pipeline-rolearn - this role should be able to assume a target account role (below). Means it should have an sts:AssumeRole permission attached
2. Target account IAM Role (Action declaration role) https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_ActionDeclaration.html (check roleArn). This role should have access to CodeCommit and Trust the account where CodePipeline is located.
3. Some actions (e.g. Deploy) might have a 3rd IAM Role (action configuration role) - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-action-reference.html (check Role name or RoleArn)

Hope this helps.