AWS Error: "Access Denied" in CodeDeploy after Jenkins build

Question

I've set up Jenkins on an EC2 instance that runs build when changes pushed to the master branch in github. Once the build on jenkins passes, it triggers a process to zip the source code and puts it in a specific S3 bucket. Then the CodeDeploy application that Jenkins is aware of in the configuration and triggers a deploy to tries to get the source code ZIP from S3, but it raises an error Access Denied. It seems like the IAM role does not have the right access and permissions to download the ZIP from S3.

My issue is trying to understand the IAM role, its relationship to Jenkins user and the IAM Service Role? How do I set up the permissions and who should get these permissions? Please advise and help me understand this.

Answer 1

There are typically two scenarios in the CodeDeploy setup... the part that 'creates' the deployment (typically your CI server/build agent) and the CodeDeploy agent that runs on the target instance(s) and does the actual deployment. The first half is essentially pushing into the CodeDeployment and the second half is pulling from it... that's how I like to visualize it.

For the CI server/build agents, they should have an IAM role with permissions like follows... This allows the build agent to (1) access the S3 bucket you've designated for deployment and (2) access the CodeDeploy service to create revisions, etc.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::YourDeploymentBucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}

On the target EC2 instances, they need to have something like this... This gives the CodeDeploy agent service (1) access to the S3 bucket to pull the revision and (2) access to all the generic code-deploy buckets so the agent can update itself. Of course, those instances need to meet all other criteria... generally, they need an IAM role and need to have the code deploy agent installed.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::YourDeploymentBucket/*",
                "arn:aws:s3:::aws-codedeploy-us-east-1/*",
                "arn:aws:s3:::aws-codedeploy-us-west-1/*",
                "arn:aws:s3:::aws-codedeploy-us-west-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-south-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
                "arn:aws:s3:::aws-codedeploy-eu-central-1/*",
                "arn:aws:s3:::aws-codedeploy-eu-west-1/*",
                "arn:aws:s3:::aws-codedeploy-sa-east-1/*"
            ]
        }
    ]
}

How you assign these permission is up to you... if your build agents are EC2 instances, it would be best to assign these as a Policy attached to the IAM role associated with the instance(s). For the target deployment machines, you would do the same... create a policy and assign that to the IAM roles associated with the instances that you want to target.