Question

I am facing issues. Trying to deploy CFN Stack in crossaccount.

I have created roles and import in my code pipeline stack.

But when I am trying to launch and comes to deploystage execution its getting error.

I am using CDK typescript.

const CrossAccountRole = iam.Role.fromRoleArn(this,  ProdCrossAccountRole , `arn:aws:iam::${props.accounts.prodaccount}:role/MyCrossAccountRole`)
 
const prodAccountRootPrincipal = new iam.AccountPrincipal(props.accounts.prodaccount);

const pipeline = new codepipeline.Pipeline(this,  MyCodePipeline , {
      pipelineName:  MyCodePipeline , // Replace with your desired pipeline name
      artifactBucket: mybucket,
      //encryptionKey: key
    });



const CRAccdeployStage = pipeline.addStage({
      stageName: props.codepipeline.crossaccountstage,
      actions: [
        new codepipeline_actions.CloudFormationCreateUpdateStackAction({
          actionName: props.codepipeline.crossaccountaction,
          stackName: props.codepipeline.crossaccountstack,
          templatePath: new codepipeline.ArtifactPath(
            buildOutput,
             CdkServerlessDemoStack.template.json , // Replace with the path to your synthesized CloudFormation template
          ),
          adminPermissions: true,
          runOrder: 1,
          role: CrossAccountRole,
          cfnCapabilities: [cdk.CfnCapabilities.ANONYMOUS_IAM],
          deploymentRole: CrossDeploymentRole,
          
        }),
      ],
    });

ERROR I FACED,

I trust my CICD account and add administrator access policy.

Any One have Idea What I have missed?

Thank You

Answer 1

I have resolved this issue at my end.

Added below policy in my cross deployment role.

new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: [
               ssm:GetParameter ,
               ssm:GetParameters ,
               ssm:GetParametersByPath ,
            ],
            resources: [
                          "arn:aws:ssm:xxxx:xxxxxxx:parameter/*",
            ],
          }),

友情链接