My CDK code works well on granting SQS permissions to Lambda functions. After I switch my code to CI/CD pipeline, the pipeline can finish successfully but fail to grant Lambda permissions with NO any errors. Adding event source to Lambda also failed due to lack of permission.

Grant permission code:

sqs_queue.grant_consume_messages(lambda_function)

app.py CI/CD code:

import aws_cdk as cdk
from lib.pipeline_stack import BackToOriginPipelineStack

app = cdk.App()
BackToOriginPipelineStack(app, 'BackToOriginPipelineStack')

app.synth()

Pipeline stack code:

from constructs import Construct
from aws_cdk import (
    Stack,
    aws_codecommit as codecommit,
    pipelines as pipelines,
)
from .pipeline_stage import BackToOriginPipelineStage

class BackToOriginPipelineStack(Stack):
    
    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        
        repo = codecommit.Repository(
            self, 'BackToOriginRepo',
            repository_name='BackToOriginPipeRepo'
        )
        
        pipeline = pipelines.CodePipeline(
            self, 'Pipeline',
            synth=pipelines.ShellStep(
                'Synth',
                input=pipelines.CodePipelineSource.code_commit(repo, 'master'),
                commands=[
                    'npm install -g aws-cdk',
                    'pip install -r requirements.txt',
                    'cdk synth',
                ]
            )
        )
        
        deploy = BackToOriginPipelineStage(self, 'Deploy')
        deploy_stage = pipeline.add_stage(deploy)

Stage stack code:

from constructs import Construct
from aws_cdk import (
    Stage
)
from .back_to_origin_stack import BackToOriginStack

class BackToOriginPipelineStage(Stage):
    
    def __init__(self, scope: Construct, id: str, **kwargs):
        super().__init__(scope, id, **kwargs)
        
        service = BackToOriginStack(self, 'BackToOriginService')

I have no idea why granting permissions doesn't work. How should I modify my CDK code? Any idea would be appreciated. Thanks in advance.

*********** UPDATE *************

Following @Vikram's instruction, I added the code below into the pipeline stack, and it works well.

        pipeline_role = iam.Role(
            self, 'CodePipelineRole',
            assumed_by=iam.ServicePrincipal('codepipeline.amazonaws.com'),
        )
        pipeline_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name(
                "IAMFullAccess"
            ))

 pipeline = pipelines.CodePipeline(
            self, 'Pipeline',
            synth=pipelines.ShellStep(
                'Synth',
                input=pipelines.CodePipelineSource.code_commit(repo, 'master'),
                commands=[
                    'npm install -g aws-cdk',
                    'pip install -r requirements.txt',
                    'cdk synth',
                ]
            ),
            role=pipeline_role,
        )

CodePudding user response：

When you run the CDK locally you might be using your own Access Key and Secret which will have permissions to do change or attach IAM permissions. Check if the CodePipeline Role has necessary permissions. There is no need to change the CDK code