aws-cdk: (cli): CDK Pipeline in account bootstrapped with 1.110.0 (bootstrap version 7): S3 Access Denied

CDKPipeline fails with S3 Access Denied error when account has been bootstrapped with aws-cdk@1.110.0 (bootstrap version 7).

If I downgrade my CDK CLI to 1.108.0, bootstrap again (bootstrap version 6) and push a change through the pipeline it completes successfully.

Reproduction Steps

Minimal cdk pipeline repo here: https://github.com/cogwirrel/minimal-cdk-pipeline-ts

npm i -g aws-cdk@1.110.0 cdk bootstrap cdk deploy git remote add cc codecommit://MyRepo (requires git-remote-codecommit) git push cc mainline

Observe error in the pipeline:

Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ZE8ZB6NBMFEY4F6F; S3 Extended Request ID: t9dE+lUpj3K+CKD87YAPLOT0i2pD8CIqoTJv+KxBZQ6S84nM05bpPHzq0EhdNyjs8L00lSrR9wg=; Proxy: null)

What did you expect to happen?

Empty CDK Pipeline to deploy successfully

What actually happened?

“Prepare” step for the pipeline stage failed with an S3 Access Denied error.

Environment

CDK CLI Version : 1.110.0
Framework Version: 1.110.0
Node.js Version: 14.17.0
OS : macOS Big Sur (11.4)
Language (Version): Typescript 4.3.2

Other

Possibly related to https://github.com/aws/aws-cdk/pull/15192 ?

This is 🐛 Bug Report

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 14
Comments: 23 (12 by maintainers)

Commits related to this issue

fix(pipelines): artifact bucket permissions missing for in-account deployments A recent change to the default `deploy-role` policies required that the required permissions statements are added to the... — committed to aws/aws-cdk by rix0rrr 3 years ago
fix(pipelines): artifact bucket permissions missing for in-account deployments (#15348) A recent change to the default `deploy-role` policies required that the required permissions statements are ad... — committed to aws/aws-cdk by rix0rrr 3 years ago
fix(pipelines): artifact bucket permissions missing for in-account deployments (#15348) A recent change to the default `deploy-role` policies required that the required permissions statements are ad... — committed to hollanddd/aws-cdk by rix0rrr 3 years ago

Most upvoted comments

AHA!

It breaks if you DO give an account on the stage, and the account is the same as the pipeline’s account! If you leave out the account, then the permissions get properly added to the bucket.

rix0rrr on Jun 28, 2021

I have this problem, too. And like @czubocha I don’t specify any account anywhere (neither in the app nor stage nor stack). Is your fix still working in this configuration, @rix0rrr ?

aax on Jun 29, 2021

Hi all, @rix0rrr I tried today to deploy a pipeline using the newly released version 1.111.0 and I can see see the same S3 Access Denied error. I already tried to clean up/bootstrap again and no success.

fbdo on Jul 2, 2021

For now, yes. We will fix it shortly.

rix0rrr on Jun 29, 2021