Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Codepipeline: Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application

I am using Beanstalk and Codepipeline.

It works fine until build, but

Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application. Service:AWSLogs, Message:User: arn:aws:sts:::assumed-role/pipeline-role/ is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-northeast-2::log-group:/aws/elasticbeanstalk/repo-env/var/log/nginx/error.log:log-stream:

occurs in Beanstalk deployment.

Am I needing permission for the log group?

My Codepipeline Role is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "opsworks:DescribeStacks",
                "devicefarm:GetRun",
                "rds:*",
                "cloudformation:CreateChangeSet",
                "autoscaling:*",
                "codebuild:BatchGetBuilds",
                "devicefarm:ScheduleRun",
                "servicecatalog:ListProvisioningArtifacts",
                "devicefarm:ListDevicePools",
                "cloudformation:UpdateStack",
                "servicecatalog:DescribeProvisioningArtifact",
                "cloudformation:DescribeChangeSet",
                "devicefarm:ListProjects",
                "cloudformation:ExecuteChangeSet",
                "sns:*",
                "lambda:ListFunctions",
                "lambda:InvokeFunction",
                "codedeploy:RegisterApplicationRevision",
                "devicefarm:CreateUpload",
                "cloudformation:*",
                "opsworks:DescribeDeployments",
                "cloudformation:DescribeStacks",
                "codecommit:GetUploadArchiveStatus",
                "cloudwatch:*",
                "cloudformation:DeleteStack",
                "opsworks:DescribeInstances",
                "ecs:*",
                "ecr:DescribeImages",
                "ec2:*",
                "codebuild:StartBuild",
                "cloudformation:ValidateTemplate",
                "opsworks:DescribeApps",
                "opsworks:UpdateStack",
                "codedeploy:CreateDeployment",
                "codedeploy:GetApplicationRevision",
                "codedeploy:GetDeploymentConfig",
                "servicecatalog:CreateProvisioningArtifact",
                "sqs:*",
                "cloudformation:DeleteChangeSet",
                "codecommit:GetCommit",
                "servicecatalog:DeleteProvisioningArtifact",
                "codedeploy:GetApplication",
                "cloudformation:SetStackPolicy",
                "codecommit:UploadArchive",
                "s3:*",
                "elasticloadbalancing:*",
                "codecommit:CancelUploadArchive",
                "devicefarm:GetUpload",
                "elasticbeanstalk:*",
                "opsworks:UpdateApp",
                "opsworks:CreateDeployment",
                "cloudformation:CreateStack",
                "servicecatalog:UpdateProduct",
                "codecommit:GetBranch",
                "codedeploy:GetDeployment",
                "opsworks:DescribeCommands"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "cloudformation.amazonaws.com",
                        "elasticbeanstalk.amazonaws.com",
                        "ec2.amazonaws.com",
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "codestar-connections:UseConnection",
            "Resource": "*"
        }
    ]
}
like image 629
COLEAN Avatar asked Dec 31 '22 03:12

COLEAN


2 Answers

To resolve the issue - Add "logs:*" in the Actions array of the first block. As this gives permission form EBS to Cloudwatch logs.

Recommendation - I would recommend not adding "*" rather giving minimal permissions based on your requirement. For this case - adding "logs:CreateLogGroup" in the Actions array of the first block

like image 149
Ritesh Kumar Reddy Kuchukulla Avatar answered May 20 '23 22:05

Ritesh Kumar Reddy Kuchukulla


I solved it by adding "CloudWatchLogsFullAccess" in the IAM user permissions policies, directly from the IAM GUI.

like image 35
Rexcirus Avatar answered May 20 '23 22:05

Rexcirus