You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After 4.0.0 update, our pipelines using GitHub as a source cannot be updated by the pipeline management.
The IAM role used for adf-pipeline-deployment is not allowed to perform secrets manager:GetSecret on /adf/github_token
Expected Behavior
Token is allowed to be read by the role.
Current Behavior
User: arn:aws:sts::xxxxxxxxxxx:assumed-role/adf-pipeline-deployment/AWSCloudFormation is not authorized to perform: secretsmanager:GetSecretValue on resource: /adf/github_token because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 7b6c9d9f-04f3-4575-8e59-5ac66fdfd56ee4e6; Proxy: null)
Steps To Reproduce
Have a pipeline use GitHub as a source with a token stored in secrets manager:
Seems a continuation to this, after giving rights the next thing to fail is the generated pipeline.
cloudformation fails as the first step for code pipeline needs to be a source only, and the generated cdk wasn’t that.
Resource handler returned message: "Pipeline should start with a stage that only contains source actions (Service: CodePipeline, Status Code: 400, Request ID: 6c4626f0-70a0-43f5-bbdc-b8bf1686fdd722f)"
Is there an existing issue for this?
Describe the bug
After 4.0.0 update, our pipelines using GitHub as a source cannot be updated by the pipeline management.
The IAM role used for adf-pipeline-deployment is not allowed to perform secrets manager:GetSecret on /adf/github_token
Expected Behavior
Token is allowed to be read by the role.
Current Behavior
User: arn:aws:sts::xxxxxxxxxxx:assumed-role/adf-pipeline-deployment/AWSCloudFormation is not authorized to perform: secretsmanager:GetSecretValue on resource: /adf/github_token because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 7b6c9d9f-04f3-4575-8e59-5ac66fdfd56ee4e6; Proxy: null)
Steps To Reproduce
Have a pipeline use GitHub as a source with a token stored in secrets manager:
pipelines:
default_providers:
source:
provider: github
properties:
branch: main
repository: repositoryname
owner: owner
oauth_token_path: /adf/github_token
json_field: token
Possible Solution
Add rights to the role to read from secrets manager /adf/ path.
Additional Information/Context
No response
ADF Version
4.0.0
Contributing a fix?
The text was updated successfully, but these errors were encountered: