-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I got a below issue when I run my aws code pipeline. #5
Comments
Hi @jeetugswm |
Has this issue been resolved? I'm encountering the same problem. It seems the ToolsAccount/TestAccount doesn't own the object being uploaded by the DevAccount IAM Role? |
+1 |
@anshrma is it possible to get some feedback on this problem? Would love to implement something similar for our own account, but this seems to be a blocker. |
Hi yall, I have figured out my problem. It might not be the same problem that you guys have encountered but I am here to post what my problem was. So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied. Hopefully this helps yall -Floyd |
Hi @floydding -- thanks for reaching out with a suggestion solution! Unfortunately, the problem is between the Pipeline grabbing the source code from the dev account and it being accessible in the tools account. I think this is due to an incorrect ACL setting of "private" on pipeline artifacts. |
@davidkelley I encountered that issue too. I believe that could also be related to KMS key issue. I think you might need to specify |
My personal experience is that @floydding's suggestion to specify If you need to troubleshoot this further, you'd need to
I lost a few hours troubleshooting this exact problem, on a cross-account setup I was creating from scratch, referring to this repository for the occasional copy and paste. When I got the same error as you, I was stuck, and eventually created a ticket. AWS Premium Support was not much help. Hopefully these troubleshooting steps will. |
@lestephane thank you so much. Your Cloudtrail comment saved me from the hell of aws non descriptive error messages and delivered me to the heavens of knowing what the hell is going on |
@lestephane Hello. |
@quarryman
|
@jeetugswm It worked for me when I've given S3FullAccess permission to the codebuild role. |
Code build Service Account will not have access to the S3 artifacts created by Code Commit. So you need to find the service account role and add S3 full access or edit inline policy to add the S3 bucket with wildcards added so that this new bucket details get included and then it will work like magic., |
adding S3FullAccess permission to the codebuild role works |
This is the policy that worked for me:
|
I wouldn't recommend giving full S3 access. I added these permissions to the CodeBuildBasePolicy-xxx policy, then edited them to specify the ARN (bucket name) that I wanted to access. That worked for me s3:PutObject If the ARN/bucket restriction is hard to figure out then give it access to all buckets, that's still safer than giving full S3 access as you are restricting it to 3 privileges. |
Hopefully AWS will update this refarch with CDK definitions, so we can all
profit from having least privilege policies.
Least privilege policies are much easier to do in CDK.
…On Sun, Aug 16, 2020 at 12:59 PM Stefan Richter ***@***.***> wrote:
I wouldn't recommend giving full S3 access. I added these permissions to
the CodeBuildBasePolicy-xxx policy, then edited them to specify the ARN
(bucket name) that I wanted to access. That worked for me
s3:PutObject
s3:GetObject
s3:GetObjectVersion
If the ARN/bucket restriction is hard to figure out then give it access to
all buckets, that's still safer than giving full S3 access as you are
restricting it to 3 privileges.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABJVHFCZWF2H2AZOPNM6ISTSA6UXLANCNFSM4F5VTAEQ>
.
--
|
Exactly what I needed. I was setting up the pipeline for learning purpose and, mostly this is what you need. |
☝🏾 This works. @lestephane and @tomarv2 also made great additions. If you are running a pipeline with codebuild AND a custom KMS key. Make sure that the pipeline service role and the build service role have encrypt/decrypt access to the KMS key if you're using one. This is what I had to add to my KMS key policy.
|
Thanks @floydding, I think that in my case it really was an issue with the KMS key. I had created a S3 Bucket outside Codepipeline, and the source stage could in fact create the SourceArtifact but, funnily enough, the build stage could not read or access it. This time i just let Codepipeline create the S3 bucket and configure its role to interact with it and voila!, it could be some other issue but that would need more testing. |
+1 |
I had a similar issue and the solution was to grant permissions via the KMS resource based policy. |
I am getting the same error while codepipeline is trying to triger the codebuild. Here is the S3 artifact bucket that I have used:
I have used the above encryption for the bucket. Could anyone please help what IAM policy should I add to the IAM user to avoid the error :
This is the Policy that I am currently using for the IAM user of codepipeline
|
nevermind I found the solution. In my case, I had to give s3 access to codebuild in addition to the codepipeline IAM role. |
can any body help ??? |
I ran into this error recently, in my case, I was using AWS Code star connection with codepipeline, and it had permission to use the connection, however, codebuild was not having sufficient permission (I was using passing git clone meta information to codebuild). I added required permission to codebuild, and I was able to resolve the issue:
However, as a lot of folks have explained, you would run into this issue if your code build does not have permission to the KMS key used to encrypt. |
I read all previous comments, in my case I modified codebuil role adding access to s3 bucket. Now, it is working. |
AccessDenied: Access Denied status code: 403, request id: D18C063FBD, host id: q8QSdgeMXd9GzqiHAn9aR7e+Qh5TNjYfRjbXxQP73FZbZWjFj78IXQ= for primary source and source version arn:aws:s3:::pre-reqartifactbucket-1btcbp1ce/Infra-Prov/SourceOutp/EEB5s
I have give full s3 access but still access issue & tried alot.
Please let me know the solution to avoid this.
Originally posted by @jeetugswm in #1 (comment)
The text was updated successfully, but these errors were encountered: