Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Error: "Access Denied" in CodeDeploy after Jenkins build

I've set up Jenkins on an EC2 instance that runs build when changes pushed to the master branch in github. Once the build on jenkins passes, it triggers a process to zip the source code and puts it in a specific S3 bucket. Then the CodeDeploy application that Jenkins is aware of in the configuration and triggers a deploy to tries to get the source code ZIP from S3, but it raises an error Access Denied. It seems like the IAM role does not have the right access and permissions to download the ZIP from S3.

My issue is trying to understand the IAM role, its relationship to Jenkins user and the IAM Service Role? How do I set up the permissions and who should get these permissions? Please advise and help me understand this.

like image 867
nael Avatar asked Dec 06 '16 17:12

nael


People also ask

What should be checked first when an AWS CodeDeploy deployment fails?

Check the format of your AppSpec file. For more information, see Add an application specification file to a revision for CodeDeploy and CodeDeploy AppSpec File reference. Check your Amazon S3 bucket or GitHub repository to verify your application revision is in the expected location.

Why am I getting an access denied error message when I upload files to my Amazon S3 bucket that has AWS kms default encryption?

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey and kms:Decrypt actions. Follow these steps to add permissions for kms:GenerateDataKey and kms:Decrypt: 1. Open the IAM console.

Why am I getting an HTTP 403 Forbidden error when I try to upload files using the Amazon S3 console?

The "403 Forbidden" error can occur due to the following reasons: Permissions are missing for s3:PutObject to add an object or s3:PutObjectAcl to modify the object's ACL. You don't have permission to use an AWS Key Management Service (AWS KMS) key. There is an explicit deny statement in the bucket policy.

What changes do you need to make to your code to deploy using AWS CodeDeploy?

You don't need to make any changes to your code. You simply add a configuration file (called an AppSpec file) in the root directory of your revision bundle that specifies the files to be copied and scripts to be executed. Q: How can I deploy an application from my source control system using AWS CodeDeploy?


1 Answers

There are typically two scenarios in the CodeDeploy setup... the part that 'creates' the deployment (typically your CI server/build agent) and the CodeDeploy agent that runs on the target instance(s) and does the actual deployment. The first half is essentially pushing into the CodeDeployment and the second half is pulling from it... that's how I like to visualize it.

For the CI server/build agents, they should have an IAM role with permissions like follows... This allows the build agent to (1) access the S3 bucket you've designated for deployment and (2) access the CodeDeploy service to create revisions, etc.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::YourDeploymentBucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}

On the target EC2 instances, they need to have something like this... This gives the CodeDeploy agent service (1) access to the S3 bucket to pull the revision and (2) access to all the generic code-deploy buckets so the agent can update itself. Of course, those instances need to meet all other criteria... generally, they need an IAM role and need to have the code deploy agent installed.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::YourDeploymentBucket/*",
                "arn:aws:s3:::aws-codedeploy-us-east-1/*",
                "arn:aws:s3:::aws-codedeploy-us-west-1/*",
                "arn:aws:s3:::aws-codedeploy-us-west-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-south-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
                "arn:aws:s3:::aws-codedeploy-eu-central-1/*",
                "arn:aws:s3:::aws-codedeploy-eu-west-1/*",
                "arn:aws:s3:::aws-codedeploy-sa-east-1/*"
            ]
        }
    ]
}

How you assign these permission is up to you... if your build agents are EC2 instances, it would be best to assign these as a Policy attached to the IAM role associated with the instance(s). For the target deployment machines, you would do the same... create a policy and assign that to the IAM roles associated with the instances that you want to target.

like image 104
Brett Green Avatar answered Oct 07 '22 12:10

Brett Green