CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-cloudfrontaws-codebuild
m5kev4n
m5kev4n

Reputation: 571

AWS CodeBuild can't sync to S3 bucket ListObject denied permission

In CodeBuild, I have 2 projects. One is for a staging site, and another one is for a production site. When I compile my site, and run it through the staging project, it works fine. It sync's successfully to my s3 bucket for the staging site. However, when tried to compile it and run it through the production project, when running the sync command, it returns an error :

fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

[Container] 2018/09/11 08:40:33 Command did not exit successfully aws s3 sync public/ s3://$S3_BUCKET exit status 1

I did some digging around, and I think the problem is with my bucket policy. I am using CloudFront as a CDN on top of my S3 bucket. I don't want to modify the bucket policy of the production bucket right until I'm absolutely sure that I must. I'm worried it might have some affect on the live site. Here is my bucket policy for the production bucket: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket_name]/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [access_code]"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket_name]/*"
        }
    ]
}

Upvotes: 0

Views: 3490

Answers (1)

Sangam Belose
Sangam Belose

Reputation: 4506

As per the error description, the list permission is missing.

Add the below permission at your bucket policy:

  "Action": [
          "s3:Get*",
          "s3:List*"
]

This should solve your issue. Also check the IAM service role created on codebuild to access S3 buckets. The S3 bucket policy and IAM role both control the access to the S3 bucket in this kind of setup.

Your service role should have list permission for S3.

 {
  "Sid": "S3ObjectPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:List*"
  ],
  "Resource": ["arn:aws:s3:::my_bucket",
             "arn:aws:s3:::my_bucket/*"]
 }

Upvotes: 5

Related Questions