AWS Codebuild fails while downloading source. Message: Access Denied

Question

I created a CodeBuild Project that uses a docker image for node8. The purpose of this CodeBuild project is to do unit testing. It takes an input artifact from CodeCommit. And in the buildspec.yml it runs a test command.

This is my (simple) buildspec file:

version: 0.2

phases:
  install:
    commands:
     - echo "install phase started"
     - npm install
     - echo "install phase ended"
  pre_build: 
    commands:
     - echo "pre_build aka test phase started"
     - echo "mocha unit test"
     - npm test
     - echo "mocha unit test ended"
  build:
    commands:
     - echo "build phase started"
     - echo "build complete"

The build is failing at the DOWNLOAD_SOURCE phase with the following:

PHASE - DOWNLOAD_SOURCE

Start time 2 minutes ago

End time 2 minutes ago

Message Access Denied

The only logs in the build logs are the following

[Container] 2018/01/12 11:30:22 Waiting for agent ping

[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE

Thanks in advance.

Screenshot of the CodeBuild policies.

Answer 1

In my case I fixed the issue that way - when I was creating a build project configuration there is a step in which you have to provide Service role and Role name. There are two options for that step 1) create new one and 2) choose existing one. I created a new one. After that I faced the issue author described. After some research I added this policies to that role in IAM module and the issue went away.

AWSCodeDeployRoleForECS AWS managed Permissions policy
AWSCodeDeployRole   AWS managed Permissions policy
AWSCodeDeployRoleForCloudFormation  AWS managed Permissions policy
AWSCloudFormationFullAccess AWS managed Permissions policy
AWSCodeDeployRoleForLambda  AWS managed Permissions policy

Answer 2

I faced the same issue.

My source was from an S3 folder. The fix involved putting a / at the end of the source path. It seems that without the / CodeBuild thinks it is a key.

Hope this helps someone save time.

Answer 3

I was experiencing the same symptoms but my issue was due to the default encryption on the S3 bucket as described in this post.

So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.

In my case, the keys that were being used were mismatched which was causing the decryption failure.

Answer 4

I had the same error, a permissions issue accessing S3 bucket url. Originally I used an auto-generated codepipeline-us-west-2-* bucket name with the policy:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::codepipeline-us-west-2-*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

After changing to my own bucket name, the policy had to be updated to:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::project-name-files/*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

Answer 5

I found a fix. It was a problem with my permissions. I added this to make it work.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-eu-west-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters"
        ],
        "Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
    }
  ]
}

Answer 6

I had similar error and will post my fix in case it helps anyone else. I was using CodePipeline and had two separate builds happening. Build #1 would complete its build and the output artifact for that was to be the input artifact for Build #2. Build #2 was failing on the the DOWNLOAD_SOURCE phase with the following error:

AccessDenied: Access Denied status code: 403

The problem was that in my build spec for Build #1, I didn't have the artifacts defined. After calling out the artifact files/folders in Build #1, then Build #2 was able to download the source without issue.