Reputation: 506
AWS codebuild fails cant download source when initiated from codepipeline
I have a an AWS codebuild job that works fine when I initate manually as a root user.
I have a codepipe line that should initiate the build job when codecommit merges into master. It fires the job and the build start but it fails when trying to download source.
Ive attached full S3/codebuild/codecommit policies to the pipeline, but it still throws access denied.
Which permissions am I missing?
Upvotes: 7
Views: 14938
Answers (2)
Reputation: 3044
The reason is CodeBuild service role needs permission to access the CodePipeline S3 bucket. To fix it, you can attach an inline policy or modify existing policy to allow these actions to access the objects in your CodePipeline S3 bucket (to specify Resources for the policy)
s3:GetObject
s3:GetObjectVersion
s3:PutObject
This is the policy in json, remember to replace S3-BUCKET-NAME with your actual codepipeline s3 bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::S3-BUCKET-NAME/*"
}
]
}
To look for the S3 bucket name, you can do the following on AWS console to trace the source of error:
- Go to CodeBuild
- Select Build projects on left panel
- Choose your project, Build history will be displayed
- click the Build run item that has failed status
- See the error in Build logs if there is
- Choose Phase details
- CodeBuild most probably failed at DOWNLOAD_SOURCE phase with the following error message:
CLIENT_ERROR: AccessDenied: Access Denied status code: 403, request id:
requestId, host id: hostId for primary source and source version
arn:aws:s3:::S3-BUCKET-NAME/path
Upvotes: 4
Reputation: 756
This generally happens when you have a CodeBuild project already and you integrate it to the CodePipeline project. The Codebuild now does not download the sources from CodeCommit/Github repo. Instead, it will try to dowload the source artifact created in the codepipeline bucket in S3. So, you will need to provide permissions to the CodeBuild role to access the codepipline bucket in S3.
You can do this by modifying Codebuild role's attached policy (or attaching a new policy) that gives access to the following operations
s3:ListObjects
s3:GetObject
s3:ListBucket
for your Codepipeline bucket and its objects
"arn:aws:s3:::codepipeline-bucket",
"arn:aws:s3:::codepipeline-bucket/*"
Or you can just choose to add all operations for this bucket and its object. You can release the changes and it would work. Lmk if it does not.
Upvotes: 15
Related Questions
- Errors on using CodeBuild for first time
- AWS CodeBuild failed CLIENT_ERROR: authorization failed for primary source and source version
- DOWNLOAD_SOURCE Failed AWS CodeBuild
- AWS CodeBuild + CodePipeline: "No matching artifact paths found"
- AWS CodePipeline deploy failed
- Unable to select CodePipeline as source
- AWS CodeBuild fails DOWNLOAD_SOURCE step due to invalid S3 ARN
- AWS CodeBuild DOWNLOAD_SOURCE failed
- CodeBuild (AWS) from CodePipeline (AWS) is not working
- AWS Codebuild fails while downloading source. Message: reference not found