2.1.4.5. Configuring Security Permissions for Artifact Access (IAM, CodeArtifact)
2.1.4.5. Configuring Security Permissions for Artifact Access (IAM, Cross-Account)
Deployment pipelines cross account and service boundaries — and each boundary needs explicit IAM permissions. A missing permission anywhere in the chain silently breaks the pipeline.
CodeDeploy service role needs permissions to read deployment bundles from S3, manage EC2 instances, update ECS services, or invoke Lambda functions (depending on the compute platform). AWS provides managed policies: AWSCodeDeployRole for EC2/on-premises, AWSCodeDeployRoleForECS for ECS.
EC2 instance profile for CodeDeploy targets needs s3:GetObject on the artifact bucket and s3:GetBucketLocation. Without the instance profile, the CodeDeploy agent can't download the deployment bundle.
Cross-account deployments require:
- The artifact bucket in Account A grants
s3:GetObjectto Account B's CodeDeploy role - The KMS key encrypting artifacts grants
kms:Decryptto Account B's role - Account B's CodeDeploy assumes a cross-account role in Account A
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::ACCOUNT_B:role/CodeDeployRole"},
"Action": ["s3:GetObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::pipeline-artifacts/*"
}
ECR cross-account image pulls require a repository policy granting ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:BatchCheckLayerAvailability to the consuming account.
Exam Trap: Cross-account pipelines in CodePipeline use a customer-managed KMS key (not the default aws/s3 key). The default key can't be shared cross-account. If you see "Access Denied" errors in cross-account pipeline stages, the KMS key policy is the first place to check.
