Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Code Build Access denied while downloading artifact from S3

My CodeBuild is configured with CodePipeline. S3 is my artifact store. I continue to get an Access denied message despite having attached IAM roles with sufficient access.

Screenshot of the error message

Code Build Error message

I have already checked the service role associated with Codebuild. It has the following policy attached to it.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build",
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-ap-southeast-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]

}

But when I test it using the IAM policy validator I get the following error message.

enter image description here

Based on the accepted answer to this question the policy that I currently have should allow me to get the artifacts from S3 without any problems - AWS Codebuild fails while downloading source. Message: Access Denied

How do I get rid of the access denied message?

like image 251
Sashi Avatar asked Dec 13 '18 05:12

Sashi


1 Answers

This generally happens when you have a CodeBuild project already and you integrate it to a CodePipeline pipeline. When you integrate a Codebuild project with CodePipeline, the project will retrieve it's source from the CodePipeline Source output. Source output will be stored in the artifact store location, which is an S3 bucket, either a default bucket created by CodePipeline or one you specify upon pipeline creation.

So, you will need to provide permissions to the CodeBuild Service role to access the CodePipline bucket in S3. The role will require permissions to put S3 objects in the bucket, as well as get objects.

Policy which i tried and same is working:

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Sid": "CodeBuildDefaultPolicy",
  "Effect": "Allow",
  "Action": [
    "codebuild:*",
    "iam:PassRole"
  ],
  "Resource": "*"      
},
{
  "Sid": "CloudWatchLogsAccessPolicy",
  "Effect": "Allow",
  "Action": [
    "logs:FilterLogEvents",
    "logs:GetLogEvents"
  ],
  "Resource": "*"
},
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
 ]
}

Policy Simulator

enter image description here

AWS Reference

like image 155
Yash Bindlish Avatar answered Oct 17 '22 01:10

Yash Bindlish