IAM approval in codepipeline when assuming role

570 Views Asked by systemdebt At 10 April 2025 at 20:08

we have users logging in from our landing account to CI/CD account- usually with Admin or read-only roles.

We would like to use IAM groups in CI/CD account so that only the users in the specific groups can approve/reject the deployment (but we have NO users in the CI/CD account). We just have the required groups in place. However, since we do not create users in our CI/CD account, but only assume roles from our landing account, how do we use the IAM approval in the code pipeline?

Original Q&A

There are 2 best solutions below

Ronan Cunningham On 14 September 2021 at 20:43 BEST ANSWER

Groups are only used with users so won't work in this context. You need to assign the permission in a policy on the relevant role:

For example:

Pipeline Arn: arn:aws:codepipeline:eu-west-1:123456789:my-pipeline

Pipeline Stage Name: Prod

Approval Action Name: Approve-Prod


- Action:
    - codepipeline:PutApprovalResult
Effect: Allow
Resource:
    - arn:aws:codepipeline:eu-west-1:123456789:my-pipeline/Prod/Approve-Prod

Lucasz On 11 September 2021 at 01:17

You can assign AWSCodePipelineApproverAccess role to the group that can approve

https://docs.aws.amazon.com/codepipeline/latest/userguide/approvals.html

IAM approval in codepipeline when assuming role

There are 2 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in PERMISSIONS

Related Questions in AMAZON-IAM

Related Questions in AWS-CODEPIPELINE

Related Questions in AWS-ROLES

Trending Questions

Popular # Hahtags

Popular Questions