# AWS - Codepipeline Privesc

{{#include ../../../banners/hacktricks-training.md}}

## codepipeline

For more info about codepipeline check:

{{#ref}}
../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md
{{#endref}}

### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution`

When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them.

Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...)

I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>`

During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise:

![](<../../../images/image (276).png>)

![](<../../../images/image (181).png>)

### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution`

It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.

### `codepipeline:pollforjobs`

[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html):

> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**.

{{#include ../../../banners/hacktricks-training.md}}