In my setup I have 2 accounts:

Account A runs CodeCommit + CodePipeline

Account B has an ECS cluster

Most of the steps I did are described in the Create a Pipeline in CodePipeline That Uses Resources guide from AWS.

However, my setup is to deploy to ECS using CodePipeline without using CodeDeploy. So I had to create a CrossAccount role with the following policies.

Policy to access KMS key in account A

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "Allow access to KMS key on Account A",
             "Action": [
                 "kms:Decrypt",
                 "kms:DescribeKey",
                 "kms:Encrypt",
                 "kms:GenerateDataKey",
                 "kms:ReEncrypt"             
             ],             
           "Effect": "Allow",             
           "Resource": "KEYARN"
         }
     ]
 } 

Policy to allow access to S3 bucket in account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow access to S3 bucket in Account A",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}

Policy to allow access to ECS in account B

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow access to ECS",
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": [
                "*"
            ]
        }
    ]
}

Policy to pass the role to ECS:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Without these policies I was getting a lot of different errors in CodePipeline like “The provided role does not have sufficient permissions to access ECS” or “The provided role does not have sufficient permissions (to access certain bucket)..


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.