Menu
I am using Beanstalk and Codepipeline.
It works fine until build, but
Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application. Service:AWSLogs, Message:User: arn:aws:sts:::assumed-role/pipeline-role/ is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-northeast-2::log-group:/aws/elasticbeanstalk/repo-env/var/log/nginx/error.log:log-stream:
occurs in Beanstalk deployment.
Am I needing permission for the log group?
My Codepipeline Role is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"opsworks:DescribeStacks",
"devicefarm:GetRun",
"rds:*",
"cloudformation:CreateChangeSet",
"autoscaling:*",
"codebuild:BatchGetBuilds",
"devicefarm:ScheduleRun",
"servicecatalog:ListProvisioningArtifacts",
"devicefarm:ListDevicePools",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProvisioningArtifact",
"cloudformation:DescribeChangeSet",
"devicefarm:ListProjects",
"cloudformation:ExecuteChangeSet",
"sns:*",
"lambda:ListFunctions",
"lambda:InvokeFunction",
"codedeploy:RegisterApplicationRevision",
"devicefarm:CreateUpload",
"cloudformation:*",
"opsworks:DescribeDeployments",
"cloudformation:DescribeStacks",
"codecommit:GetUploadArchiveStatus",
"cloudwatch:*",
"cloudformation:DeleteStack",
"opsworks:DescribeInstances",
"ecs:*",
"ecr:DescribeImages",
"ec2:*",
"codebuild:StartBuild",
"cloudformation:ValidateTemplate",
"opsworks:DescribeApps",
"opsworks:UpdateStack",
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeploymentConfig",
"servicecatalog:CreateProvisioningArtifact",
"sqs:*",
"cloudformation:DeleteChangeSet",
"codecommit:GetCommit",
"servicecatalog:DeleteProvisioningArtifact",
"codedeploy:GetApplication",
"cloudformation:SetStackPolicy",
"codecommit:UploadArchive",
"s3:*",
"elasticloadbalancing:*",
"codecommit:CancelUploadArchive",
"devicefarm:GetUpload",
"elasticbeanstalk:*",
"opsworks:UpdateApp",
"opsworks:CreateDeployment",
"cloudformation:CreateStack",
"servicecatalog:UpdateProduct",
"codecommit:GetBranch",
"codedeploy:GetDeployment",
"opsworks:DescribeCommands"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "codestar-connections:UseConnection",
"Resource": "*"
}
]
}
629
To resolve the issue - Add "logs:*" in the Actions array of the first block. As this gives permission form EBS to Cloudwatch logs.
Recommendation - I would recommend not adding "*" rather giving minimal permissions based on your requirement. For this case - adding "logs:CreateLogGroup" in the Actions array of the first block
149
I solved it by adding "CloudWatchLogsFullAccess" in the IAM user permissions policies, directly from the IAM GUI.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
