Reputation: 6141
CodeBuild - Build fails due to missing EC2 Permission
I have a codebuild project that pulls code from Github. I am using cloudposse template
When I start the build, I get
VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation
I have found similar problem on SO. But in my case it did not work.
This is my terraform policy:
data "aws_iam_policy_document" "permissions" {
statement {
sid = ""
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:CreateNetworkInterface",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVpcEndpointService",
"ec2:ResetSnapshot"
]
effect = "Allow"
resources = [
"*",
]
}
statement {
actions = [
"ec2:CreateNetworkInterfacePermission"
]
effect = "Allow"
condition {
test = "StringEquals"
variable = "ec2:Subnet"
values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
}
condition {
test = "StringEquals"
variable = "ec2:AuthorizedService"
values = ["codebuild.amazonaws.com"]
}
resources = [
"arn:aws:ec2:*:*:network-interface/*"
]
}
}
And it generates this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"iam:PassRole",
"ecs:RunTask",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ec2:ResetSnapshot",
"ec2:ModifyVpcEndpointService",
"ec2:ModifySnapshotAttribute",
"ec2:DetachNetworkInterface",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeDhcpOptions",
"ec2:DeleteNetworkInterface",
"ec2:CreateNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
"arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
"arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
]
}
}
}
]
}
The only way I can make it to work is to add:
"ec2:*"
I would rather not do that, but fine grain the policy. What policy I need to add to make this work? this is driving me crazy for some time now...
Upvotes: 3
Views: 2346
Answers (1)
Reputation: 31
Since you have wildcard in the subnet arn, could you try to change "StringEquals" to "StringLike"? It could be the root cause for this issue. Reference for the difference between "StringEquals" and "StringLike" can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
Thanks! Xin
Upvotes: 3
Related Questions
- Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation
- Terraform aws_codebuild_project error: InvalidInputException:
- Terraform - Multiple AWS codebuild projects require aws_codebuild_source_credential
- AWS Codebuild Project Using AWS Codecommit
- AWS CodeBuild /codebuild/output/tmp/script.sh: terraform: Exec format error
- Terraform with AWS provider unable to create CodeBuild
- Cannot run `source` in AWS Codebuild
- AWS CodeBuild error on DOWNLOAD_SOURCE: CLIENT_ERROR: repository not found for primary source and source version
- AWS Codebuild terraform provider
- AWS codebuild not running terraform at post_build