CodeDeploy step of CodePipeline because of insufficient role permissions

Question

I have a 3 stage CodePipeline on AWS.

1. Source: Checks out upon commit a specific branch of CodeCommit (success)

2. Build: Runs some tests on a docker image via CodeBuild (success)

3. Deploy: Performs a deployment on a deployment group (a.k.a. some specifically tagged EC2 instances) via CodeDeploy (failure).

Step 3 fails with

Unable to access the artifact with Amazon S3 object key 'someitem-/BuildArtif/5zyjxoZ' located in the Amazon S3 artifact bucket 'codepipeline-eu-west-1-somerandomnumber'. The provided role does not have sufficient permissions.

Which role is the later referring to?

The service role of CodePipeline or the service role of CodeDeploy?

I am almost certain I have attached the appropriate policies to both though ...

Here is a snippet of my CodePipeline service role

Answer 1

This issue is not related to the Roles assigned to either Codepipeline or Codebuild. If you investigate you would find that in the S3 bucket 'codepipeline-eu-west-1-somerandomnumber', there is no folder "BuildArtif" and certainly no file - "5zyjxoZ".

The issue is that Codebuild is not sending any artifact to Codedeploy, change the 'Input artifacts' for Codebuild to the output of the Source stage of the Pipeline and the issue would be resolved.

Answer 2

This could also be due to the actual BuildArtifact not existing. Check the specified path in your S3 bucket to see whether the object actually exists. CodePipeline just gives CodeDeploy a reference to an artifact it thinks has been built and uploaded, but it doesn't really know.

Answer 3

try to give "CodeDeploy" policy with full access, it should work.

Answer 4

The error message should be referring to the CodeDeploy role. The CodeDeploy action passes the S3 artifact by reference to CodeDeploy, so the CodeDeploy role needs to have read access to the CodePipeline artifact.