I have to AWS accounts - A and B.
Account A has a CodeArtifact repository set up. In account A I have created a role with TrustRelationship to account B. I have attached policies with codeartifact:*
and sts:GetServiceBearerToken
to this role's Permissions.
Account B has a CodePipeline with Codebuild. Codebuild is using its own Build role. Within the buildspec of the source built in the Codebuild in account B, I am trying to:
aws codeartifact login --tool npm --repository accountA-repository --domain accountA
this of course won't work because:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::xxx:assumed-role/accountB-CodeBuildServiceRol/AWSCodeBuild-xxx is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact:us-x::domain/accountA
I tried to assume in buildspec.yaml
in the CodeBuild on account B but no luck there. Is there a way to assume role by Code Build role? Or is there a better way to give permission to CodeBuild? Tried searching but no luck finding this scenario. All samples seem to use the same account.
How do you allow CodeBuild from account B to interact with CodeArtifact from account A?