Code Build Access denied while downloading artifact from S3

Question

My CodeBuild is configured with CodePipeline. S3 is my artifact store. I continue to get an Access denied message despite having attached IAM roles with sufficient access.

Screenshot of the error message

I have already checked the service role associated with Codebuild. It has the following policy attached to it.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build",
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-ap-southeast-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]

}

But when I test it using the IAM policy validator I get the following error message.

Based on the accepted answer to this question the policy that I currently have should allow me to get the artifacts from S3 without any problems - AWS Codebuild fails while downloading source. Message: Access Denied

How do I get rid of the access denied message?

Answer 1

This generally happens when you have a CodeBuild project already and you integrate it to a CodePipeline pipeline. When you integrate a Codebuild project with CodePipeline, the project will retrieve it's source from the CodePipeline Source output. Source output will be stored in the artifact store location, which is an S3 bucket, either a default bucket created by CodePipeline or one you specify upon pipeline creation.

So, you will need to provide permissions to the CodeBuild Service role to access the CodePipline bucket in S3. The role will require permissions to put S3 objects in the bucket, as well as get objects.

Policy which i tried and same is working:

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Sid": "CodeBuildDefaultPolicy",
  "Effect": "Allow",
  "Action": [
    "codebuild:*",
    "iam:PassRole"
  ],
  "Resource": "*"      
},
{
  "Sid": "CloudWatchLogsAccessPolicy",
  "Effect": "Allow",
  "Action": [
    "logs:FilterLogEvents",
    "logs:GetLogEvents"
  ],
  "Resource": "*"
},
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
 ]
}

Policy Simulator

AWS Reference