Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuild

Tags:

amazon-web-services

aws-codebuild

I am trying to create a new project in AWS CodeBuild. Every time I attempt to I receive the following error:

Not authorized to perform DescribeSecurityGroups

Any help would be greatly appreciated.

like image 873
Jackson Avatar asked Oct 16 '18 20:10

Jackson

People also ask

What permissions does CodeBuild need?

CodeBuild IAM Requirements Typically a CodeBuild project will require access to a limited set of AWS resources including CodeBuild, S3, and Cloudwatch logs. The following IAM permission set will create a role that has these default permissions and will be suitable to reuse in any new CodeBuild projects.

How do I assume AWS CodeBuild?

CodeBuild uses the CodeBuild service role as the default AWS credential in the build container and Docker runtime. Export the AssumeRole credentials as environment variables. Then, pass these variables into the Docker runtime by using the --build-arg parameter for docker build.

1 Answers

I had this same issue when using cloudformation. The issue was the IAM role was being created before CodeBuild started creation, but the Policy attached the IAM role was being created after CodeBuild was created.

The remedy for this was to add a DependsOn to CodeBuild saying it needs the Policy to be created first.

Ex:

CodeBuildIamRole: 
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'CodeBuildAutomatedTestingRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
      Path: /
  CodeBuildIamPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Sub 'CodeBuildServiceRolePolicy-${AWS::StackName}'
      PolicyDocument:
        Statement:
          - Action:
              - 's3:PutObject'
              - 's3:GetObject'
              - 's3:GetObjectVersion'
              - 's3:ListBucket'
            Effect: Allow
            Resource: '*'
          - Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
              - 'ec2:CreateNetworkInterface'
              - 'ec2:DescribeDhcpOptions'
              - 'ec2:DescribeNetworkInterfaces'
              - 'ec2:DeleteNetworkInterface'
              - 'ec2:DescribeSubnets'
              - 'ec2:DescribeSecurityGroups'
              - 'ec2:DescribeVpcs'
              - 'ec2:CreateNetworkInterfacePermission'
              - 'ecr:*'
              - ...
            Effect: Allow
            Resource:
              - '*'
      Roles:
        - !Ref CodeBuildIamRole
CodeBuild:
    DependsOn:
      - CodeBuildIamPolicy
    Type: "AWS::CodeBuild::Project"
    Properties:
      ...

Hopefully this is helpful

like image 61
Lucas A Avatar answered Oct 07 '22 02:10

Lucas A
Sign in to Comment

Related questions

AWS API Gateway and EC2 Service Proxy
SSM send command to EC2 instance Failed
AWS S3 IAM grant access to buckets based on tags
Can we set cloudwatch log retention days in /etc/awslogs/awslogs.conf
How to trigger terraform to upload new lambda code
JDBC Connection Pool test query "SELECT 1" does not catch AWS RDS Writer/Reader failover
Error creating API Gateway Integration Response: NotFoundException: Invalid Integration identifier specified
How to set the content type of an S3 object via the SDK?
AWS S3 - Move an object to a different folder
Is it possible to add an HTTP header from AWS Custom Auth on API gateway?
How to implement HTTP Strict Transport Security (HSTS) on AWS Elastic Load Balancer?
Terraform unable to assume roles with MFA enabled
Write S3 objects with CDK
How much does Sql Server Enterprise Edition licensing cost for a single m1.large instance on AWS? [closed]
Using S3 Presigned-URL for upload a file that will then have public-read access
Allow AWS SQS queue access across regions
Instance Retirement: Instance-stop
java.lang.NoClassDefFoundError: org/apache/http/conn/SchemePortResolver with AmazonHttpClient
AWS SNS vs AWS Step Functions
How can you programmatically create a user in a Cognito User Pool?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!