we have users logging in from our landing account to CI/CD account- usually with Admin or read-only roles.
We would like to use IAM groups in CI/CD account so that only the users in the specific groups can approve/reject the deployment (but we have NO users in the CI/CD account). We just have the required groups in place. However, since we do not create users in our CI/CD account, but only assume roles from our landing account, how do we use the IAM approval in the code pipeline?
Groups are only used with users so won't work in this context. You need to assign the permission in a policy on the relevant role:
For example:
Pipeline Arn: arn:aws:codepipeline:eu-west-1:123456789:my-pipeline
Pipeline Stage Name: Prod
Approval Action Name: Approve-Prod
- Action:
- codepipeline:PutApprovalResult
Effect: Allow
Resource:
- arn:aws:codepipeline:eu-west-1:123456789:my-pipeline/Prod/Approve-Prod