I am using Beanstalk and Codepipeline.
It works fine until build, but
Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application. Service:AWSLogs, Message:User: arn:aws:sts:::assumed-role/pipeline-role/ is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-northeast-2::log-group:/aws/elasticbeanstalk/repo-env/var/log/nginx/error.log:log-stream:
occurs in Beanstalk deployment.
Am I needing permission for the log group?
My Codepipeline Role is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"opsworks:DescribeStacks",
"devicefarm:GetRun",
"rds:*",
"cloudformation:CreateChangeSet",
"autoscaling:*",
"codebuild:BatchGetBuilds",
"devicefarm:ScheduleRun",
"servicecatalog:ListProvisioningArtifacts",
"devicefarm:ListDevicePools",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProvisioningArtifact",
"cloudformation:DescribeChangeSet",
"devicefarm:ListProjects",
"cloudformation:ExecuteChangeSet",
"sns:*",
"lambda:ListFunctions",
"lambda:InvokeFunction",
"codedeploy:RegisterApplicationRevision",
"devicefarm:CreateUpload",
"cloudformation:*",
"opsworks:DescribeDeployments",
"cloudformation:DescribeStacks",
"codecommit:GetUploadArchiveStatus",
"cloudwatch:*",
"cloudformation:DeleteStack",
"opsworks:DescribeInstances",
"ecs:*",
"ecr:DescribeImages",
"ec2:*",
"codebuild:StartBuild",
"cloudformation:ValidateTemplate",
"opsworks:DescribeApps",
"opsworks:UpdateStack",
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeploymentConfig",
"servicecatalog:CreateProvisioningArtifact",
"sqs:*",
"cloudformation:DeleteChangeSet",
"codecommit:GetCommit",
"servicecatalog:DeleteProvisioningArtifact",
"codedeploy:GetApplication",
"cloudformation:SetStackPolicy",
"codecommit:UploadArchive",
"s3:*",
"elasticloadbalancing:*",
"codecommit:CancelUploadArchive",
"devicefarm:GetUpload",
"elasticbeanstalk:*",
"opsworks:UpdateApp",
"opsworks:CreateDeployment",
"cloudformation:CreateStack",
"servicecatalog:UpdateProduct",
"codecommit:GetBranch",
"codedeploy:GetDeployment",
"opsworks:DescribeCommands"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "codestar-connections:UseConnection",
"Resource": "*"
}
]
}
To resolve the issue - Add "logs:*" in the Actions array of the first block. As this gives permission form EBS to Cloudwatch logs.
Recommendation - I would recommend not adding "*" rather giving minimal permissions based on your requirement. For this case - adding "logs:CreateLogGroup" in the Actions array of the first block
I solved it by adding "CloudWatchLogsFullAccess" in the IAM user permissions policies, directly from the IAM GUI.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With