CODEWITHSUNDEEP
amazon-web-servicesaws-codepipeline
Phaedrus
Phaedrus

Reputation: 51

AWS deployment fails with Insufficient permission: The provided role does not have the Elasticbeanstalk:UpdateEnvironment permission

So, I'm pretty new to AWS, and have a simple pipeline built with AWS CodeStar. Source -> Application -> Beta. I'm trying to deploy to a beta site, and I get this failure.

I tried following the instrucitons on http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html, but ran into the issue where: Step 3 says “Choose the AWS Service role type, and then choose the service that you want to allow to assume this role. But this isn’t what I see. I don’t see the ability to choose CodePipeline, which I'm assuming is the service that needs access to the Elastic Beanstalk.

I thought I might have misunderstood the service they were talking about and tried the other way, of selecting Elastic Beanstalk, but that diverged from the instructions as well.

I tried this page: http://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy, but cannot figure out how they created the default AWS CodePipeline Service Role Policy

*************** Update ********************

Here is a screenshot of the whole pipeline

Here is the AWSCodeStarServiceRole policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "ProjectEventRules",
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:RemoveTargets",
            "events:PutRule",
            "events:DeleteRule",
            "events:DescribeRule"
        ],
        "Resource": [
            "arn:aws:events:*:*:rule/awscodestar-*"
        ]
    },
    {
        "Sid": "ProjectStack",
        "Effect": "Allow",
        "Action": [
            "cloudformation:*Stack*",
            "cloudformation:CreateChangeSet",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:DeleteChangeSet",
            "cloudformation:GetTemplate"
        ],
        "Resource": [
            "arn:aws:cloudformation:*:*:stack/awscodestar-*",
            "arn:aws:cloudformation:*:*:stack/awseb-*",
            "arn:aws:cloudformation:*:*:stack/aws-cloud9-*",
            "arn:aws:cloudformation:*:aws:transform/CodeStar*"
        ]
    },
    {
        "Sid": "ProjectStackTemplate",
        "Effect": "Allow",
        "Action": [
            "cloudformation:GetTemplateSummary",
            "cloudformation:DescribeChangeSet"
        ],
        "Resource": "*"
    },
    {
        "Sid": "ProjectQuickstarts",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::awscodestar-*/*"
        ]
    },
    {
        "Sid": "ProjectS3Buckets",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::aws-codestar-*",
            "arn:aws:s3:::aws-codestar-*/*",
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
        ]
    },
    {
        "Sid": "ProjectServices",
        "Effect": "Allow",
        "Action": [
            "codestar:*Project",
            "codestar:*Resource*",
            "codestar:List*",
            "codestar:Describe*",
            "codestar:Get*",
            "codestar:AssociateTeamMember",
            "codecommit:*",
            "codepipeline:*",
            "codedeploy:*",
            "codebuild:*",
            "ec2:RunInstances",
            "autoscaling:*",
            "cloudwatch:Put*",
            "ec2:*",
            "elasticbeanstalk:*",
            "elasticloadbalancing:*",
            "iam:ListRoles",
            "logs:*",
            "sns:*",
            "cloud9:CreateEnvironmentEC2",
            "cloud9:DeleteEnvironment",
            "cloud9:DescribeEnvironment*",
            "cloud9:ListEnvironments"
        ],
        "Resource": "*"
    },
    {
        "Sid": "ProjectWorkerRoles",
        "Effect": "Allow",
        "Action": [
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iam:SetDefaultPolicyVersion",
            "iam:CreatePolicy",
            "iam:DeletePolicy",
            "iam:AddRoleToInstanceProfile",
            "iam:CreateInstanceProfile",
            "iam:DeleteInstanceProfile",
            "iam:RemoveRoleFromInstanceProfile"
        ],
        "Resource": [
            "arn:aws:iam::*:role/CodeStarWorker*",
            "arn:aws:iam::*:policy/CodeStarWorker*",
            "arn:aws:iam::*:instance-profile/awscodestar-*"
        ]
    },
    {
        "Sid": "ProjectTeamMembers",
        "Effect": "Allow",
        "Action": [
            "iam:AttachUserPolicy",
            "iam:DetachUserPolicy"
        ],
        "Resource": "*",
        "Condition": {
            "ArnEquals": {
                "iam:PolicyArn": [
                    "arn:aws:iam::*:policy/CodeStar_*"
                ]
            }
        }
    },
    {
        "Sid": "ProjectRoles",
        "Effect": "Allow",
        "Action": [
            "iam:CreatePolicy",
            "iam:DeletePolicy",
            "iam:CreatePolicyVersion",
            "iam:DeletePolicyVersion",
            "iam:ListEntitiesForPolicy",
            "iam:ListPolicyVersions"
        ],
        "Resource": [
            "arn:aws:iam::*:policy/CodeStar_*"
        ]
    },
    {
        "Sid": "InspectServiceRole",
        "Effect": "Allow",
        "Action": [
            "iam:ListAttachedRolePolicies"
        ],
        "Resource": [
            "arn:aws:iam::*:role/aws-codestar-service-role",
            "arn:aws:iam::*:role/service-role/aws-codestar-service-role"
        ]
    },
    {
        "Sid": "IAMLinkRole",
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceLinkedRole"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "iam:AWSServiceName": "cloud9.amazonaws.com"
            }
        }
    }
]

}

Also, I cannot update the permissions on the role, because it says it is an Amazon created role and is read-only.

I'm guessing it is something simple that I'm missing, and well. I'm missing it!

Thanks in advance!

Upvotes: 0

Views: 3402

Answers (2)

Phaedrus
Phaedrus

Reputation: 51

After trying many ways to adjust settings and permissions. I tried creating a duplicate pipeline, and everything worked on the new pipeline but not the old one.

So, to solve the problem, I deleted the pipeline that was saved in CodeStar and created a new pipeline that was the same. I then removed the Continuous Deployment tile in CodeStar and then added a new Continuous deployment tile, selecting the new pipeline I created.

This solved the problem and the pipeline works.

Upvotes: 1

John Hanley
John Hanley

Reputation: 81464

When you first go to the AWS CodeStar console, you are prompted to create a service role. You should have selected yes. This creates a role named "AWSCodeStarServiceRole".

This role has the permissions that you need.

This link will walk you thru setting up AWS CodeStar:

Setting Up AWS CodeStar

Upvotes: 0

Related Questions