AWS CodeBuild fails, access denied for ListObjectsV2 operation

Question

I am trying to set up a pipeline in AWS CodePipeline and after the change from CodeCommit is triggered, the CodeBuild starts. It executes the commands as stated in the buildspec.yaml file, and it fails when it is about to sync the content to the S3 Bucket.

Currently, I have attached to the respective CodeBuild Service Role the AmazonS3FullAccess policy but it gives me the following error:

[Container] 2020/03/20 16:13:22 Running command aws s3 sync ./dist/ProjectName/ s3://project-name-dev
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

What might be the issue?

Answer 1

Writing object(s) to an S3 Bucket requires permission on 2 places:

• On the Role
• On the Bucket policy

Since you already added 'AmazonS3FullAccess' to CodeBuild service role, check the Bucket policy if it does not allow writing by Codebuild role. You can add the following Bucket policy on the bucket to fix this:

{
    "Sid": "Stmt1561445614665",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::<Account_Number>:role/service-role/<your-codebuild-service-role>".   <===== Update with your codebuild service role ARN
    },
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::bucketname",   <===== Update with your bucket name
        "arn:aws:s3:::bucketname/*"  <===== Update with your bucket name
    ]
}