Grant AWS CodeBuild access to AWS CodeArtifact

1
votes

I have to AWS accounts - A and B.

Account A has a CodeArtifact repository set up. In account A I have created a role with TrustRelationship to account B. I have attached policies with codeartifact:* and sts:GetServiceBearerToken to this role's Permissions.

Account B has a CodePipeline with Codebuild. Codebuild is using its own Build role. Within the buildspec of the source built in the Codebuild in account B, I am trying to:

aws codeartifact login --tool npm --repository accountA-repository --domain accountA

this of course won't work because:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::xxx:assumed-role/accountB-CodeBuildServiceRol/AWSCodeBuild-xxx is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:us-x::domain/accountA

I tried to assume in buildspec.yaml in the CodeBuild on account B but no luck there. Is there a way to assume role by Code Build role? Or is there a better way to give permission to CodeBuild? Tried searching but no luck finding this scenario. All samples seem to use the same account.

How do you allow CodeBuild from account B to interact with CodeArtifact from account A?

2
amazon-iamaws-codebuildaws-codeartifact

2 Answers

0
votes

According to CodeBuild Documentation, CodeBuild Role can be assigned cross-account permission

https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control.html

Cross-account access – You can use an IAM role in your account to grant another AWS account permissions to access your account’s resources. For an example, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.

I suggest to check the configuration again of your Code Build ACL

0
votes

For anyone struggling to find an answer for this question. Assuming the role inside the buildspec.yaml worked, but was not as straight forward. This is what I have done before calling the npm install:

- mkdir ~/.aws/ && touch ~/.aws/config
  - echo "[profile buildprofile]" > ~/.aws/config
  - echo "role_arn = $CODE_ARTIFACT_ROLE_ARN" >> ~/.aws/config
  - echo "credential_source = EcsContainer" >> ~/.aws/config
  - aws codeartifact login --tool npm --repository accountArepo --domain accountA --domain-owner xxxx --profile buildprofile

I have passed the CODE_ARTIFACT_ROLE_ARN environment variable from the CloudFormation AWS::CodeBuild::Project Resorce. I am sure you can configure it console as well.

This answer was massively useful