cross account CodePipeline

0
votes

I am trying to create a pipeline in another AWS account(AccountB) where is my codecommit repo resides in another AWS Account(AccountA). I did exactly same way from these links:

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html https://cloudfornoobs.com/aws-codepipeline-with-cross-account-codecommit-repo/

However after executing the pipeline I the build always get failed. My pipeline.json is as below:

PS:I want to use codecommit and codebuild only I am not using CodeDeploy

 > {
    >     "pipeline": {
    >         "name": "newpipeline",
    >         "roleArn": "arn:aws:iam::AccountB:role/AccountBRole",
    >         "artifactStore": {
    >             "type": "S3",
    >             "location": "BucketForArtifactsFromAccountB",
    >             "encryptionKey": {
    >                 "id": "AccountB_KMS"
    >                 "type": "KMS"
    >             }
    >         },
    >         "stages": [
    >             {
    >                 "name": "Source",
    >                 "actions": [
    >                     {
    >                         "name": "Source1",
    >                         "actionTypeId": {
    >                             "category": "Source",
    >                             "owner": "AWS",
    >                             "provider": "CodeCommit",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "BranchName": "dev",
    >                             "PollForSourceChanges": "false",
    >                             "RepositoryName": "backend"
    >                         },
    >                         "outputArtifacts": [
    >                             {
    >                                 "name": "Source1"
    >                             }
    >                         ],
    >                         "inputArtifacts": [],
    >                         "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
    >                     }
    >                 ]
    >             },
    >             {
    >                 "name": "Build",
    >                 "actions": [
    >                     {
    >                         "name": "Build",
    >                         "actionTypeId": {
    >                             "category": "Build",
    >                             "owner": "AWS",
    >                             "provider": "CodeBuild",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "EnvironmentVariables": "[{\"name\":\"STAGE_NAME\",\"value\":\"dev\",\"type\":\"PLAINTEXT\"}]",
    >                             "PrimarySource": "Source1",
    >                             "ProjectName": "backend"
    >                         },
    >                     

         "outputArtifacts": [
            {
              "name": "BuildArtifact"
            } 
          ],
            "runOrder": 1,
            "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
          } 
        ] 
      } 
    ],
        "artifactStore": {
          "type": "S3",
          "location": "BucketForArtifactsFromAccountB",
          "encryptionKey": {
            "id": "AccountB_KMS",
            "type": "KMS"
          }
        },
        "version": 19
      }
    }
1
amazon-web-servicesxcodebuildaws-codepipelineaws-codecommit
Source action looks good and "arn:aws:iam::AccountA:role/AccountARole" should be assumable by CodePipeline and have permissions to access the CodeCommit repo. Please paste the error you are facing/screenshot to help understand the issue.shariqmaws
@shariqmaws the thing now is, when I push the code from Account A, it simply does not run the pipeline in Account B. it does not give me error after I resolve the failed build issue, but now it does not trigger the pipelinekru

1 Answers

0
votes

When using CodeCommit in a different account, the default CloudWatch event that triggers pipeline to start will not work due to cross account. This glue is provided by Event bus feature of CloudWatch that can put a message from Account A to B.

Steps

Create a Cloudwatch event rule in Account A which forwards the event to default Bus of Account B (where pipeline exists)

Cloudwatch > rules > create new > Service name - Codecommit and Event type is Codecommit Repository State Change

Event pattern would looks something like below:

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"         #Account A's codecommit repo ARN
  ]
}

Select the target to point to "default event bus of another account".

Targets > select target > event bus in another Account > enter Account ID > (id of the pipeline account , account B)

Select /create a new role that has permissions to send events to another account. I have attached CloudwatchEventsFull Access role to it.

In the account B ( where Codepipeline exists )

Allow Default Event bus to receive events from Account A

Cloudwatch > Event Buses > Permission > Add permission > AWS Account > enter Account A ID

Create a new rule that will trigger the pipeline, once event is received

Cloudwatch > rules > create new > Service name - Codecommit and Event type is Codecommit Repository State Change, enter the ARN of the Account A's codepipeline.

Event pattern would be same as before,

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"      #Account A's codecommit repo ARN
  ]

Create a target with pipeline ARN. You can use existing role or new role, this role just needs access to trigger the pipeline.

At this point we have completed the creation of Cloudwatch Events. Test a commit and verify pipeline is triggered.