Code Build Access denied while downloading artifac

2019-08-05 20:17发布

站内问答 / 移动开发
1248 1 5

My CodeBuild is configured with CodePipeline. S3 is my artifact store. I continue to get an Access denied message despite having attached IAM roles with sufficient access.

Screenshot of the error message

Code Build Error message

I have already checked the service role associated with Codebuild. It has the following policy attached to it.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build",
            "arn:aws:logs:ap-southeast-1:682905754632:log-group:/aws/codebuild/Build:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-ap-southeast-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    }
]

}

But when I test it using the IAM policy validator I get the following error message.

enter image description here

Based on the accepted answer to this question the policy that I currently have should allow me to get the artifacts from S3 without any problems - AWS Codebuild fails while downloading source. Message: Access Denied

How do I get rid of the access denied message?

1条回答
Rolldiameter
2楼-- · 2019-08-05 20:48

This generally happens when you have a CodeBuild project already and you integrate it to a CodePipeline pipeline. When you integrate a Codebuild project with CodePipeline, the project will retrieve it's source from the CodePipeline Source output. Source output will be stored in the artifact store location, which is an S3 bucket, either a default bucket created by CodePipeline or one you specify upon pipeline creation.

So, you will need to provide permissions to the CodeBuild Service role to access the CodePipline bucket in S3. The role will require permissions to put S3 objects in the bucket, as well as get objects.

Policy which i tried and same is working:

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Sid": "CodeBuildDefaultPolicy",
  "Effect": "Allow",
  "Action": [
    "codebuild:*",
    "iam:PassRole"
  ],
  "Resource": "*"      
},
{
  "Sid": "CloudWatchLogsAccessPolicy",
  "Effect": "Allow",
  "Action": [
    "logs:FilterLogEvents",
    "logs:GetLogEvents"
  ],
  "Resource": "*"
},
{
  "Sid": "S3AccessPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:CreateBucket",
    "s3:GetObject",
    "s3:List*",
    "s3:PutObject"
  ],
  "Resource": "*"
  }
 ]
}

Policy Simulator

enter image description here

AWS Reference

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)