Hello i am having this error in my code build as i am doing a cross-account Strategy i am build and push my by my ECR into AccountA
Note: All My BuildProject and Pipeline are in AccountA
I need help in resolving this as i would also like to deploy to the ECR image in Account B the Account C to ECS & Fargate after building and storing to the repo in Account A
Below is the structure of my ToolingRole
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::730335391382:assumed-role/pacctsmainToolChainRole/AWSCodeBuild-7be7fa1b-8d91-473d-b71a-8d5be79d6fc5 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
My Setup Below
CodeBuildProject:
Type: AWS::CodeBuild::Project
DeletionPolicy: Delete
DependsOn: [ToolingRole]
Properties:
Name: !Sub 'CodeBuildProject'
Description: !Sub AWS CodeBuildProject
ServiceRole: !Ref ToolingRole
..................
ToolingRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
DependsOn: [CrossDeploymentRole]
Properties:
RoleName: !Sub '${AppID}ToolingRole' #[--${AWS::Region}]
Description: Creating ToolingRole in IAM for the CodePipeline
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- codebuild.amazonaws.com
- codedeploy.amazonaws.com
- codepipeline.amazonaws.com
- elasticbeanstalk.amazonaws.com
- events.amazonaws.com
Path: /
Policies:
- PolicyName: ToolChainWorkerPolicy
PolicyDocument:
Statement:
# Statement: [Allow ToolingRole to perform actions on specified resources]
- Action:
- "*"
Effect: Allow
Resource:
- Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
- Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
- Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
- Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
# Statement: [Allow ToolChainRole to assume CrossDeploymentRole]
- Effect: Allow
Action: sts:AssumeRole
Resource: !GetAtt CrossDeploymentRole.Arn
# Statement: []
- Effect: Allow
Resource:
- !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
- !GetAtt CrossDeploymentRole.Arn
Action: ["iam:PassRole"]
# Statement: [Allow ToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
- Effect: Allow
Resource: "*"
Action:
- cloudtrail:CreateTrail
- cloudtrail:StartLogging
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
CrossDeploymentRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: !Sub 'CrossDeploymentRole'
Description: '...'
AssumeRolePolicyDocument:
Statement:
# Statement: [Allows the only following services to assume the IAM role.]
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com]
Path: /
#Note: (Policies Property Must be of type List)
Policies:
- PolicyName: !Sub 'CrossDeploymentRolePolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
# Statement: []
- Effect: Allow
Action: sts:AssumeRole
Resource:
- !Sub arn:aws:iam::${AccountA}:role/DeploymentRole
- !Sub arn:aws:iam::${AccountB}:role/DeploymentRole
- !Sub arn:aws:iam::${AccountC}:role/DeploymentRole
Notes: Same DeploymentRole for(AccountA, AccountB, AccountC)
DeploymentRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: !Sub 'DeploymentRole'
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com]
AWS: !Sub "arn:aws:iam::${AccountA}:role/$CrossDeploymentRole"
Path: /
Policies:
- PolicyName: !Sub 'DeploymentRolePolicy'
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Sid: ECRActions
Resource: '*'
Action: ['ecr:*']
Hello, I did i even gave all the Permision for ECR
from ECR resource policy or from IAM policy ?
From IAM Policy