[Bug]: GitHub integration broken, not allowed to read token

[niklaswesterstrahleknowit]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

After 4.0.0 update, our pipelines using GitHub as a source cannot be updated by the pipeline management.

The IAM role used for adf-pipeline-deployment is not allowed to perform secrets manager:GetSecret on /adf/github_token

Expected Behavior

Token is allowed to be read by the role.

Current Behavior

User: arn:aws:sts::xxxxxxxxxxx:assumed-role/adf-pipeline-deployment/AWSCloudFormation is not authorized to perform: secretsmanager:GetSecretValue on resource: /adf/github_token because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 7b6c9d9f-04f3-4575-8e59-5ac66fdfd56ee4e6; Proxy: null)

Steps To Reproduce

Have a pipeline use GitHub as a source with a token stored in secrets manager:

pipelines:

• name: pipeline
  default_providers:
  source:
  provider: github
  properties:
  branch: main
  repository: repositoryname
  owner: owner
  oauth_token_path: /adf/github_token
  json_field: token

Possible Solution

Add rights to the role to read from secrets manager /adf/ path.

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

• Yes, I am working on a fix to resolve this issue

[niklaswesterstrahleknowit]

Seems a continuation to this, after giving rights the next thing to fail is the generated pipeline.

cloudformation fails as the first step for code pipeline needs to be a source only, and the generated cdk wasn’t that.

Resource handler returned message: "Pipeline should start with a stage that only contains source actions (Service: CodePipeline, Status Code: 400, Request ID: 6c4626f0-70a0-43f5-bbdc-b8bf1686fdd722f)"

[sbkok]

Hi @niklaswesterstrahleknowit,

With ADF v4.0, support for the GitHub v1 source provider is dropped in favor of CodeConnection (previously named CodeStar connection). AWS CodePipeline guidelines on this change can be found here: https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html

In the v4.0.0 release notes, the section named: "AWS CodeStar Connections OAuth Token support dropped" described this breaking change.

The v4.0.0 supported source providers are listed at: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/providers-guide.md#source
Upgrading the connection should be fairly straightforward, you can find more info here: https://github.com/awslabs/aws-deployment-framework/blob/v4.0.0/docs/admin-guide.md#using-aws-codeconnections-for-bitbucket-github-github-enterprise-or-gitlab
Please let us know if this resolves your issue.

Best regards, Simon