Why am I getting a permissions error in my code build pipeline?

By
Dan
-
0
10
Asked By CodeCrafter92 On

I'm working with some CDK code to set up a code build project, but I'm running into a permissions issue. Here's the code snippet I've got:

```javascript
const projectBuild = new codebuild.Project(this, 'ProjectBuild', {
projectName: 'myProj',
description: 'a project',
environment: {
buildImage: codebuild.LinuxBuildImage.AMAZON_LINUX_2023_5,
computeType: codebuild.ComputeType.SMALL
},
buildSpec: codebuild.BuildSpec.fromObject({
version: 0.2,
phases: {
install: {
'runtime-versions': {
nodejs: 22
},
commands: ['npm i']
},
build: {
commands: [
'aws cognito-idp list-user-pools --max-results 60',
// other stuff
]
}
},
artifacts: {
// other stuff
}
})
});

projectBuild.addToRolePolicy(
new iam.PolicyStatement({
resources: ['arn:aws:cognito-idp:*'],
actions: ['cognito-idp:ListUserPools', 'cognito-idp:ListUserPoolClients'],
effect: iam.Effect.ALLOW
})
);
```

When I try to execute the pipeline, I get this error:

```
An error occurred (AccessDeniedException) when calling the ListUserPools operation: User: arn:aws:sts::495117181484:assumed-role/CicdCdkStack-ProjectBuildRoleE73FE62C-oGrMTzJv8lv8/AWSCodeBuild-b431f84c-a519-459b-8947-18a2dcc5084f is not authorized to perform: cognito-idp:ListUserPools on resource: * because no identity-based policy allows the cognito-idp:ListUserPools action
```

I've tried searching for solutions but haven't had any luck. Is there something I'm missing?

4 Answers

Answered By DevGuru_88 On

It sounds like you might be facing a bit of a chicken and egg situation. It seems like you're trying to add a policy to a role that is generated by the CDK. Make sure that your execution role has the necessary permissions to update policies. You might want to check your IAM policy too. Sometimes, you need to go upstream to figure out the issue. Are you using permission boundaries? That could be part of the problem as well.

Answered By TechieTim99 On

Here's a quick checklist I think might help. 1. Check the IAM actions for cognito-idp on AWS documentation. 2. Look specifically at ListUserPools—this action doesn’t accept resource types. 3. Change your resources line from ['arn:aws:cognito-idp:*'] to ['*']. 4. Run your code again and see if that fixes the issue!

Answered By CloudyMinds On

I don't use the CDK myself, but I noticed that in your policy, the resources line is set to 'arn:aws:cognito-idp:*'. According to the AWS docs, you should use '*' instead (the resource types column is empty). Only the ListUserPoolClients action can have a specific resource defined. So, just change it to '*' and that should help resolve your permissions error!

Answered By AWSWhizKid On

In your error message, it indicates that you're not authorized for the cognito-idp:ListUserPools action on resource: *. To resolve this, simply change your policy from 'resources: ['arn:aws:cognito-idp:*']' to 'resources: ['*']'. That should clear up the issue!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.