amazon-web-servicesaws-codestar

Cross-account CodeStar connection


I am trying to make use of a CodeStar connection that exists in Account A, in an Account B CodePipeline, however, I am currently getting the following error:

Unable to use Connection: arn:aws:codestar-connections:ap-southeast-2:xxxxxxxxxxxx:connection/xxxxxxxxxxxx. The provided role does not have sufficient permissions.

The role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "codestar-connections:UseConnection",
            "Resource": "arn:aws:codestar-connections:ap-southeast-2:xxxxxxxxxxxx:connection/xxxxxxxxxxxx"
        }
    ]
}

Do I need to configure anything in Account A to make Account B be able to use the CodeStar connection?


Solution

  • Unfortunately cross account connections cannot be set up.

    If the method you described would work, you could simply fill in any account id / connection name to hijack someone's repo.

    All resources that support cross account sharing have some type of resource based policy attached to them (think of S3 bucket policies, or KMS key policies). Connections do not have resource based policies and are also not supported by AWS Resource Access manager, so they can't be used in other accounts unfortunately. Set up the connection in the other account as well to make use of the repo.