Fix cross-account deploys restricted by externalId #117
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It's possible to restrict these in the cross-account IAM role policy[1]. Up until the present fix, however, the current implementation doesn't cover that use case as expected: * a new `AWSCodeDeployPublisher` instance receives the `externalId` through its constructor and saves it[2] * when using `"iamRoleArn"` as credentials, the instance will retrieve `externalId` from the `descriptor`[3] * but the descriptor instance initializes its own `externalId` randomly[4] [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html [2]: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L108-L130 [3]: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L204-L207 [4]: https://github.com/awslabs/aws-codedeploy-plugin/blob/40d7b24c95edef27f2879037ae1add30fc3f3831/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java#L460-L464
By Java 17 the `<tt>` HTML tag has been deprecated, presumably because it switched to HTML5 (?).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
It's possible to restrict cross-account deploys to a specific
externalIdin IAM role policies.Up until the present fix, however, such deploys with a custom
externalIdfail with HTTP 403 forbidden; removing the restriction from the IAM policy instantly allows for the deploy to happen.My understanding of what's happening is:
AWSCodeDeployPublisherinstance receives theexternalIdthrough its constructor and saves it:aws-codedeploy-plugin/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java
Lines 108 to 130 in 40d7b24
"iamRoleArn"as credentials, the instance will retrieveexternalIdfrom the descriptor:aws-codedeploy-plugin/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java
Lines 204 to 207 in 40d7b24
externalIdrandomly:aws-codedeploy-plugin/src/main/java/com/amazonaws/codedeploy/AWSCodeDeployPublisher.java
Lines 460 to 464 in 40d7b24
Description of changes
Functional:
AWSCodeDeployPublisher.externalIdinstead of the descriptor'sTooling-related:
[*] closes #107, #115 and #116
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.