Code Deploy error trying to Download the artifact from the bucket

[Mat-moran]

Hi I am trying to setup a pipeline using CDK.

• I did all the steps manually and I can deploy my application without problems.
• I achieve the same structure using the cdk code post below but when it try to reach S3 bucket to get the Artifact it launch the next error The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
  

The only different with the manually setted up pipeline is in the artifact output format.

• Manually setted up pipeline : None
• cdk : zip format

But I do not find the way to change the output format in cdk from a GitHubSourceAction.

Can anyone throw some light on this? 🙏
Thanks

import * as ec2 from "aws-cdk-lib/aws-ec2";
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam'
import * as path from 'path';
import * as codepipeline from "aws-cdk-lib/aws-codepipeline"
import * as codedeploy from "aws-cdk-lib/aws-codedeploy"

import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions';
// import { KeyPair } from 'cdk-ec2-key-pair';

import { Asset } from 'aws-cdk-lib/aws-s3-assets';
import { Stack, StackProps, SecretValue } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { ManagedPolicy } from "aws-cdk-lib/aws-iam";
// import * as sqs from 'aws-cdk-lib/aws-sqs';

export class CiCdAwsPipeline extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    // PIPELINE
    const pipeline = new codepipeline.Pipeline(this, 'TestPipeline', {
      pipelineName: 'TestPipeline',
    })


    // STEP 1 -> Source
    const source_output = new codepipeline.Artifact();
    const github_connect = new codepipeline_actions.GitHubSourceAction({
      actionName: 'GitHub_Source',
      owner: 'Mat-moran',
      repo: "my-t3-app",
      oauthToken: SecretValue.secretsManager("github-token-test"),
      output: source_output,
      branch: 'main',
    })

    pipeline.addStage({
      stageName: 'Source',
      actions: [github_connect]
    })

    // STEP 2 -> Deploy
    const application = new codedeploy.ServerApplication(this, 'CodeDeployApplication', {
      applicationName: 'MyApp',
    })
    const deployment_group = new codedeploy.ServerDeploymentGroup(this, 'CodeDeployDeploymentGroup', {
      deploymentGroupName: "DG-MyApp",
      deploymentConfig: codedeploy.ServerDeploymentConfig.ALL_AT_ONCE,
      application: application,
      installAgent: true,
      ec2InstanceTags: new codedeploy.InstanceTagSet(
        {
          // any instance with tags satisfying
          // key1=v1 or key1=v2 or key2 (any value) or value v3 (any key)
          // will match this group
          'CICD': ['testing-edgedb'],
          'project_name': ['testing-edgedb'],
          // '': ['v3'],
        },
      ),
    });
    deployment_group.role?.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AmazonS3ReadOnlyAccess"))
    deployment_group.role?.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("AWSCodeDeployFullAccess"))
    const deploy_action = new codepipeline_actions.CodeDeployServerDeployAction({
      actionName: "CodeDeploy",
      input: source_output,
      deploymentGroup: deployment_group,
    })

    pipeline.addStage({
      stageName: 'Deploy',
      actions: [deploy_action]
    })
  }
}

[Mat-moran]

I found the solution!

The bucket was encrypted due to the default pipeline configuration on cdk that is prepare to use crossacount config. If you add the parameter crossAccountKeys: false during pipeline creation it solves the problem.

// Don't create Customer Master Keys
const pipeline = new codepipeline.Pipeline(this, 'MyFirstPipeline', {
  crossAccountKeys: false,
});

[badfun]

I've been struggling with the same issue. Turns out that crossAccountKeys in aws_codepipeline defaults to TRUE, whereas crossAccountKeys in cdk_codepipelines defaults to FALSE. Both are optional, so I had just left it out for Pipeline, not realizing it was being created behind the scenes. Confusing!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.