Amiga500
Amiga500

Reputation: 6141

CodeBuild - Build fails due to missing EC2 Permission

I have a codebuild project that pulls code from Github. I am using cloudposse template

When I start the build, I get

VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation

I have found similar problem on SO. But in my case it did not work.

This is my terraform policy:

data "aws_iam_policy_document" "permissions" {
  statement {
    sid = ""

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetAuthorizationToken",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
      "ecs:RunTask",
      "iam:PassRole",
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "ssm:GetParameters",
      "ec2:DescribeSubnets",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeVpcs",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DeleteNetworkInterface",
      "ec2:DetachNetworkInterface",
      "ec2:DescribeDhcpOptions",
      "ec2:CreateNetworkInterface",
      "ec2:ModifySnapshotAttribute",
      "ec2:ModifyVpcEndpointService",
      "ec2:ResetSnapshot"
    ]

    effect = "Allow"

    resources = [
      "*",
    ]
  }

  statement {
    actions = [
      "ec2:CreateNetworkInterfacePermission"
    ]

    effect = "Allow"

    condition {
      test     = "StringEquals"
      variable = "ec2:Subnet"
      values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
    }

    condition {
      test = "StringEquals"
      variable = "ec2:AuthorizedService"
      values = ["codebuild.amazonaws.com"]
    }

    resources = [
      "arn:aws:ec2:*:*:network-interface/*"
    ]
  }
}

And it generates this JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "iam:PassRole",
                "ecs:RunTask",
                "ecr:UploadLayerPart",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:GetAuthorizationToken",
                "ecr:CompleteLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ec2:ResetSnapshot",
                "ec2:ModifyVpcEndpointService",
                "ec2:ModifySnapshotAttribute",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeDhcpOptions",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ec2:CreateNetworkInterfacePermission",
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AuthorizedService": "codebuild.amazonaws.com",
                    "ec2:Subnet": [
                        "arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
                        "arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
                        "arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
                    ]
                }
            }
        }
    ]
}

The only way I can make it to work is to add:

"ec2:*"

I would rather not do that, but fine grain the policy. What policy I need to add to make this work? this is driving me crazy for some time now...

Upvotes: 3

Views: 2346

Answers (1)

Xin Wang
Xin Wang

Reputation: 31

Since you have wildcard in the subnet arn, could you try to change "StringEquals" to "StringLike"? It could be the root cause for this issue. Reference for the difference between "StringEquals" and "StringLike" can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

Thanks! Xin

Upvotes: 3

Related Questions