Code pipeline fails in source stage from github

[vaibhavjain11]

My aws code pipeline role has s3 full access role. I have configured code pipeline to download code from github. But it fails in source stage with error:

The provided role does not have permissions to perform this action. Underlying error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: BDA77A60ED10A069; S3 Extended Request ID: nQzv6LKkjAXeL0NjcgysjVj64G/7fVjvkidRS4IYjZrikJa+H1PUBdJXTmu4UD5N2x9zyAJGCdE=)

[stavros-zavrakas]

@vaibhavjain11 did you manage to fix this?

[JonShilale]

I have this same issue and would like to know if there's a fix I'm missing.

[PolyatomicBrian]

Since the Artifact Store (the S3 bucket) is configured to use the CMK as its encryption key, whatever role of the Pipeline's stage that writes to the Artifact Store needs to have access to the CMK. In the case of the GitHub Pipeline Stage, no IAM Role can be attached to this stage, as it defaults to the Code Pipeline's service role. This means the Code Pipeline's service role needs to have access to the CMK.

To fix this issue, in ToolsAcct/pre-reqs.yaml, update the statement of the KMSKey resource's KeyPolicy from:

        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${ProductionAccount}:root
                - !Sub arn:aws:iam::${TestAccount}:root
                - !Sub arn:aws:iam::${DevAccount}:root
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
                  - !Ref AWS::NoValue
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"

To:

        Statement:
          -
            Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - "kms:Create*"
              - "kms:Describe*"
              - "kms:Enable*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:Update*"
              - "kms:Revoke*"
              - "kms:Disable*"
              - "kms:Get*"
              - "kms:Delete*"
              - "kms:ScheduleKeyDeletion"
              - "kms:CancelKeyDeletion"
            Resource: "*"
          -
            Sid: Allow use of the key for CryptoGraphy Lambda
            Effect: Allow
            Principal:
              AWS:
                - !Sub arn:aws:iam::${ProductionAccount}:root
                - !Sub arn:aws:iam::${TestAccount}:root
                - !Sub arn:aws:iam::${DevAccount}:root
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-CodeBuildRole
                  - !Ref AWS::NoValue
                - !If
                  - AddCodeBuildResource
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/${ProjectName}-codepipeline-role
                  - !Ref AWS::NoValue
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"

Where the difference is the inclusion of the CodePipeline's service role.