CODEWITHSUNDEEP
amazon-web-servicesaws-code-deploy
Stephen
Stephen

Reputation: 4811

AWS CodeDeploy Access Denied error

I'm having issues with AWS Code Deploy, it seems to have issues accessing S3, below are the error messages:

2018-04-20 16:52:35 INFO  [codedeploy-agent(2983)]: [Aws::CodeDeployCommand::Client 200 0.023779 0 retries] put_host_command_complete(command_status:"Failed",diagnostics:{format:"JSON",payload:"{\"error_code\":5,\"script_name\":\"\",\"message\":\"Access Denied\",\"log\":\"\"}"},host_command_identifier:"WyJjb20uYW1hem9uLmFwb2xsby5kZXBsb3ljb250cm9sLmRvbWFpbi5Ib3N0Q29tbWFuZElkZW50aWZpZXIiLHsiZGVwbG95bWVudElkIjoiQ29kZURlcGxveS9ldS13ZXN0LTEvUHJvZC9hcm46YXdzOnNkczpldS13ZXN0LTE6OTExODQyOTUzODAzOmRlcGxveW1lbnQvZC1JRUFFQ09NRlMiLCJob3N0SWQiOiJhcm46YXdzOmVjMjpldS13ZXN0LTE6OTExODQyOTUzODAzOmluc3RhbmNlL2ktMDkxMGQzZjI4YWI0OTA2OGQiLCJjb21tYW5kTmFtZSI6IkRvd25sb2FkQnVuZGxlIiwiY29tbWFuZFBvc2l0aW9uIjoyLCJjb21tYW5kQXR0ZW1wdCI6MX1d")  

2018-04-20 16:52:35 ERROR [codedeploy-agent(2983)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error during perform: Aws::S3::Errors::AccessDenied - Access Denied - /opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'

My EC2 instance has been launched with IAM role: CodeDeploy-EC2-Instance-Profile which contains the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-eu-west-1-373398414592"
            ]
        }
    ]
}

From what I have read, this is correct.

I've tried the following:

Removing the AWS credentials file (~/.aws/credentials), just in case there was any conflict between the IAM role and this file. But it made no difference, I still got the above errors.

I also noted that its the 'put_host_command_complete' that's failing so I updated the Actions section of the above policy to have the PUT permissions i.e. 

"Action": [
    "s3:Get*",
    "s3:List*",
    "s3: Put*"
]

but this didn't make any difference either.

Any help appreciated.

Regards, Steve

Upvotes: 2

Views: 4945

Answers (3)

Mr. Doomsbuster
Mr. Doomsbuster

Reputation: 1374

I am seeing the same problem. I have a correct instance role selected with permissions to the s3 bucket

2018-07-22 21:50:23 ERROR [codedeploy-agent(1555)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error during perform: Aws::S3::Errors::AccessDenied - Access Denied - /opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_sse_cpk.rb:19:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_dualstack.rb:24:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_accelerate.rb:34:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/param_converter.rb:20:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/response_target.rb:21:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/request.rb:70:in `send_request'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/base.rb:207:in `block (2 levels) in define_operation_methods'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:274:in `block in download_from_s3'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:269:in `open'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:269:in `download_from_s3'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:82:in `block in <class:CommandExecutor>'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:68:in `execute_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:114:in `process_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:96:in `acknowledge_and_process_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:75:in `block in perform'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:348:in `run_task'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:337:in `block (3 levels) in create_worker'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `loop'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `block (2 levels) in create_worker'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `catch'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `block in create_worker'
/opt/codedeploy-agent/vendor/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context'
2018-07-22 21:50:23 WARN  [codedeploy-agent(1555)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PutHostCommandComplete: "Code Error"
2018-07-22 21:50:23 INFO  [codedeploy-agent(1555)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1518_deb.
2018-07-22 21:50:23 INFO  [codedeploy-agent(1555)]: [Aws::CodeDeployCommand::Client 200 0.034907 0 retries] put_host_command_complete(command_status:"Failed",diagnostics:{format:"JSON",payload:"{\"error_code\":5,\"script_name\":\"\",\"message\":\"Access Denied\",\"log\":\"\"}"},host_command_identifier:"WyJjb20uYW1hem9uLmFwb2xsby5kZXBsb3ljb250cm9sLmRvbWFpbi5Ib3N0Q29tbWFuZElkZW50aWZpZXIiLHsiZGVwbG95bWVudElkIjoiQ29kZURlcGxveS91cy13ZXN0LTIvUHJvZC9hcm46YXdzOnNkczp1cy13ZXN0LTI6NTA4MTc5ODMzNTI0OmRlcGxveW1lbnQvZC1RUVpMU0NIQVUiLCJob3N0SWQiOiJhcm46YXdzOmVjMjp1cy13ZXN0LTI6NTA4MTc5ODMzNTI0Omluc3RhbmNlL2ktMDI0ZjEzMzE5NmE2ZjgxYzMiLCJjb21tYW5kTmFtZSI6IkRvd25sb2FkQnVuZGxlIiwiY29tbWFuZFBvc2l0aW9uIjoyLCJjb21tYW5kQXR0ZW1wdCI6MX1d")

2018-07-22 21:50:24 INFO  [codedeploy-agent(1555)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1518_deb.
^[[1;2C2018-07-22 21:51:24 INFO  [codedeploy-agent(1555)]: [Aws::CodeDeployCommand::Client 200 60.17959 0 retries] poll_host_command(host_identifier:"arn:aws:ec2:us-west-2:508179833524:instance/i-024f133196a6f81c3")

Upvotes: 0

Deblina Gupta
Deblina Gupta

Reputation: 190

You need to specify the Amazon S3 bucket as the resource in the instance profile role. For more details please check https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html

Upvotes: 0

Sadh
Sadh

Reputation: 11

I think your resource arn should be like this,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:Get*",
            "s3:List*"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::<your-s3-bucket-name>/*"
        ]
    }
]}

Upvotes: 1

Related Questions