Code Build Access denied while downloading artifact from S3

只愿长相守 提交于 2019-12-11 00:37:45

问题


My CodeBuild is configured with CodePipeline. S3 is my artifact store. I continue to get an Access denied message despite having attached IAM roles with sufficient access.

Screenshot of the error message

I have already checked the service role associated with Codebuild. It has the following policy attached to it.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build",
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-ap-southeast-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]

}

But when I test it using the IAM policy validator I get the following error message.

Based on the accepted answer to this question the policy that I currently have should allow me to get the artifacts from S3 without any problems - AWS Codebuild fails while downloading source. Message: Access Denied

How do I get rid of the access denied message?


回答1:


This generally happens when you have a CodeBuild project already and you integrate it to a CodePipeline pipeline. When you integrate a Codebuild project with CodePipeline, the project will retrieve it's source from the CodePipeline Source output. Source output will be stored in the artifact store location, which is an S3 bucket, either a default bucket created by CodePipeline or one you specify upon pipeline creation.

So, you will need to provide permissions to the CodeBuild Service role to access the CodePipline bucket in S3. The role will require permissions to put S3 objects in the bucket, as well as get objects.

Policy which i tried and same is working:

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Sid": "CodeBuildDefaultPolicy",
  "Effect": "Allow",
  "Action": [
    "codebuild:*",
    "iam:PassRole"
  ],
  "Resource": "*"      
},
{
  "Sid": "CloudWatchLogsAccessPolicy",
  "Effect": "Allow",
  "Action": [
    "logs:FilterLogEvents",
    "logs:GetLogEvents"
  ],
  "Resource": "*"
},
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
 ]
}

Policy Simulator

AWS Reference



来源:https://stackoverflow.com/questions/53755732/code-build-access-denied-while-downloading-artifact-from-s3

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!