Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unable to execute AWS Pipeline Error: "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

Tags:

amazon-web-services

amazon-s3

aws-codepipeline

aws-codebuild

aws-cloudformation

Have been trying to setup an AWS pipeline following the tutorial here: https://docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html

But the pipeline continously fails with below error logs: enter image description here

Here are some of the actions, I tried already:

  1. Granted full access of S3 to "cfn-lambda-pipeline" role associated with Cloud Formation and Code Pipeline Service Role.

enter image description here

enter image description here

  1. Allowed public ACL access to S3 bucket.

enter image description here

Below is my buildspec.yml

version: 0.2
phases:
  install:
    runtime-versions:
        nodejs: 12
  build:
    commands:
      - npm install
      - export BUCKET=xx-test
      - aws cloudformation package --template-file template.yaml --s3-bucket $BUCKET --output-template-file outputtemplate.yml
artifacts:
  type: zip
  files:
    - template.yml
    - outputtemplate.yml

Below is my template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  helloWorld
  DZ Bank API Gateway connectivity helloWorld
  
Globals:
  Function:
    Timeout: 3

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./
      Handler: app.lambdaHandler
      Runtime: nodejs12.x
      Events:
        HelloWorld:
          Type: Api
          Properties:
            Path: /hello
            Method: get
like image 870
Kumar Vivek Avatar asked Sep 15 '25 20:09

Kumar Vivek

1 Answers

The error is actually related to CodeBuild not CodePipeline. It seems like CodeBuild does not have valid permissions for its attached service role.

From the console you can find the attached service role by performing the following:

  • Go to the CodeBuild console
  • Click "Build Projects" from the menu on the left hand side
  • Click the radio button next to build project you're using, then on the top menu click "Edit" and select then "Edit Source" option.
  • At the bottom of the page will be a section titled "Service role permissions" with the Arn below it.

This IAM role will need to be granted the permissions it requires (in your case "s3:PutObject") if they are not already there.

AWS provides a full policy in the Create a CodeBuild service role documentation.

like image 79
Chris Williams Avatar answered Sep 19 '25 19:09

Chris Williams
Sign in to Comment

Related questions

AWS Batch vs AWS CodeBuild
Add feature to Windows Server Configuration by AWS Elastic Beanstalk
Amazon Kinesis Firehose as a cloudwatch logs consumer
Creating AWS Athena View using Cloud Formation template
Export Existing EC2 instance to CloudFormation json/yaml
How to determine the AWS IAM policy permissions needed to use AWS Terraform Resources?
How to increase resolution of CpuUtilization metric of ECS cluster past 1 min mark?
AWS Glue Crawler creates multiple tables when reading empty files
AWS Data Pipeline didn't showing EC2 instance role
Best practice for multiple Container(django,nginx) on Fargate
Invalid FilterExpression: Attribute name is a reserved keyword; reserved keyword: type
What is the format of user pool id for AWS CognitoIdentity?
Read and write from/to S3 bucket using access points with boto3
Can AWS Eventbridge rules match object inside an array
How to use IMDSv2 from AWS Java SDK
Adding comments to database columns and retrieving from AWS Glue
Cloudformation template fails due to S3Bucket resource already exists
AWS- For outgoing requests to external services, Should i use AWS API Gateway or NAT GAteway to call external web services from private subnet
How to add SerDe parameters in CDK?
Datadog AWS EBS Monitoring - Drive Space - Exclude /dev/loop* devices

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!