From 5e14547e55f243d89cfd3ee1d034cf8fb2a2c4e8 Mon Sep 17 00:00:00 2001 From: Dave Arnold Date: Mon, 8 Jun 2026 15:41:04 -0400 Subject: [PATCH] feat(CSVDIES-9980): pass ExternalId at assume-role; default to sc-automation-codebuild-role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two related changes to wire the executor to the new cross-account role deployed by the terraform-service-catalog-census StackSet (PR #13): 1. CROSS_ACCOUNT_ROLE default changed from r-inf-terraform to sc-automation-codebuild-role — the new purpose-built role for this automation system, deployed org-wide via CFN StackSet. 2. --external-id "${TARGET_ACCOUNT_ID}" added to the aws sts assume-role call — required by the ExternalId condition on sc-automation-codebuild-role (sts:ExternalId = AWS::AccountId) per ADR-004 confused-deputy protection. The r-inf-terraform role can still be used by passing CROSS_ACCOUNT_ROLE=r-inf-terraform as an env var override; it is not removed from the CodeBuild IAM policy. See ADR-004: docs/decisions/004-account-baseline-iam-role.md Jira: CSVDIES-9980 --- buildspec-executor.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/buildspec-executor.yml b/buildspec-executor.yml index 8973fa3..a6fb2e5 100644 --- a/buildspec-executor.yml +++ b/buildspec-executor.yml @@ -34,7 +34,7 @@ env: NO_PROXY: "github.e.it.census.gov,169.254.169.254,169.254.170.2" # Per-build defaults (overridden via environmentVariablesOverride in Lambda) TARGET_ACCOUNT_ID: "" - CROSS_ACCOUNT_ROLE: "r-inf-terraform" + CROSS_ACCOUNT_ROLE: "sc-automation-codebuild-role" TF_RUN_START_TAG: "" DRY_RUN: "false" @@ -113,6 +113,7 @@ phases: CREDS=$(aws sts assume-role \ --role-arn "${ROLE_ARN}" \ --role-session-name "sc-automation-${ACCOUNT_REPO}" \ + --external-id "${TARGET_ACCOUNT_ID}" \ --query Credentials \ --output json) export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | python3 -c "import json,sys; print(json.load(sys.stdin)['AccessKeyId'])")