I have a central Tooling Account that contains the deployment pipeline and another account ("stage") where the application is deployed to. One of the steps in the pipeline is migrating the database with a lambda function in the staging account. The function is called but it runs into an error because it can't access the codepipeline and the stage in the pipeline runs into a timeout after ~20 minutes. The error message in the Pipeline suggests that the lambda function is not calling PutJobSuccessResult/ PutJobFailureResult or the function is not allowed to.
The function is calling these functions, but it seems like it has no access rights to the codepipeline in the tooling account.
These are the policies that are attached to the Lambda and Codepipeline:
Lambda:
...,{
"Action": [
"codepipeline:PutJobSuccessResult",
"codepipeline:PutJobFailureResult"
],
"Effect": "Allow",
"Resource": [
"*",
"${var.pipelineArn}"
]
},...
And Codepipeline:
..., {
"Effect": "Allow",
"Action": [
"codepipeline:*",
"iam:ListRoles",
"cloudformation:Describe*",
"cloudFormation:List*",
"codecommit:List*",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:UploadArchive",
"codecommit:CancelUploadArchive",
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
}, ...
Any ideas on what is missing? I assume that I need to add the Principle somewhere, but I don't know where...