-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pipeline for service fails if service is not already deployed to environment. #3984
Comments
Hello @CorinWilkins ! Thank you for reporting this issue. I have a few vanilla questions to start with while I'm attempting to reproduce the issue:
Thank you very much and sorry for the inconvenience! Edit:
Any information on your setup would be very helpful for me to reproduce the issue. Thank you! |
More detail on our setup: |
Hello @CorinWilkins. Could you try to run |
I have redeployed each environment into its respective accounts. I've also added an environment to our build account and I'm still getting the permissions denied error. The app is v1.0.2 |
This is strange. This looks very similar to #3453 (comment) which we resolved before. Could you help us to check the permission for the files that failed to get? Also, which resource creation returns this error msg? Thank you! |
To replicate:
Looking at the permissions for the object above in s3 the "Object owner (external account)" is our production account. We have 4 accounts. Build, Sandbox, Dev, and Prod. The pipeline is failing to deploy to sandbox, the first stage in our pipeline. |
I've manually added the sandbox account to the grantees and re-ran the pipeline but this has not worked. *Edit: It looks like running the pipeline removes the grantee I added manually. |
Hello @CorinWilkins. I think we have clues on the root of the issue and I'm trying to reproduce it. Once we figured out the root cause I'll send out a quick fix which is expected to be included in our next release! |
Fixes #3984 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
This fix is now released in v1.22 🚀 ! For the blog post: https://aws.github.io/copilot-cli/blogs/release-v122/ |
Once v1.22 is downloaded, to fix the issue you'd need to run |
We have a pipeline running in a build account, it deploys to an environment in another account. If the service hasn't already been deployed to an account the cloudformation stage will fail with some variation of a S3 permissions error.
Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for stackset-app-infrastruc-pipelinebuiltartifactbuc-xyz/manual/scripts/custom-resources/envcontrollerfunction/3ffcf03598029891816b7ce2d1ff14fdd8079af4406a0cfeff1d4aa0109dcd7d.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: Lambda, Status Code: 403, Request ID: aae1a382-3a20-4345-80ca-ac160bc75175)" (RequestToken: ccbd59fc-caa1-dd84-e5a9-9b5e871070bb, HandlerErrorCode: AccessDenied)
We are potentially going to have many apps, and many environments so at best this will be very inconvenient. Worse we restrict access to our prod account so manual deploys are not be possible.
The text was updated successfully, but these errors were encountered: