I am building a CodePipeline using CloudFormation. The pipeline is deployed to the eu-west-1
region however it must get the source code from the CodeCommit repository that is located in the us-east-1
region.
The pipeline definition looks like this:
CodePipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: !Ref PipelineName
RoleArn: !GetAtt CodePipelineServiceRole.Arn
Stages:
- Name: Source
Actions:
- Name: Source
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
OutputArtifacts:
- Name: SourceCodeOutputArtifact
Configuration:
RepositoryName: !Ref MyRepository
BranchName: !Ref DeploymentBranch
RunOrder: 1
Region: us-east-1
The attached role and policy looks like this:
CodePipelineServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- codepipeline.amazonaws.com
CodePipelineServicePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CodePipelineServicePolicy
Roles:
- !Ref CodePipelineServiceRole
PolicyDocument:
Version: 2012-10-17
Statement:
......
- Effect: Allow
Action:
- codecommit:BatchGet*
- codecommit:BatchDescribe*
- codecommit:Get*
- codecommit:Describe*
- codecommit:List*
- codecommit:GitPull
Resource: !Sub "arn:aws:codecommit:us-east-1:${AWS::AccountId}:MyRepository*"
Alas, the code pipeline still don't have access to my repository in the us-east-1
, or it is looking for it in the incorrect region, and as a result I'm getting the following error
The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named MyRepository. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::111111111111:assumed-role/MyPipeline-CodePipelineServiceRole-N996SC3JYINW/1564844186052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:eu-west-1:111111111111:MyRepository
Any help would be greatly appreciated.
Edit: I know that I can replicate the repo to another region but I am wondering is there any way to do what I want to do without replicating the repo to another region?