4
votes

I have the following Role for my CodeBuild service, generated via CloudFormation

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-codebuild'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: codebuild.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub '${PipelineName}-codebuild'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}'
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*'
                Action:
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              - Effect: Allow
                Resource:
                  - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*'
                Action:
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:PutObject'
              - Effect: Allow
                Resource:
                  - !GetAtt [PipelineArtifactStore, Arn]
                Action:
                  - 's3:PutObject'

Whats wrong with

- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*'

Why can't CodeBuild write logs?

Service role arn:aws:iam::598xxx:role/skynet-codebuild does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:ap-southeast-1:598xxx:build/skynet-lambda:544xxx-aa88945844fa. Error message: User: arn:aws:sts::598xxx:assumed-role/skynet-codebuild/AWSCodeBuild-544xxx-aa88945844fa is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:544xxx-aa88945844fa. Service role arn:aws:iam::598xxx:role/skynet-codebuild does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:ap-southeast-1:598xxx:build/skynet-lambda:544xxx-aa88945844fa. Error message: User: arn:aws:sts::598xxx:assumed-role/skynet-codebuild/AWSCodeBuild-544xxx-aa88945844fa is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:544xxx-aa88945844fa

UPDATE: Full cloudformation template for reference

AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet stack for CodePipeline'

Parameters:
  PipelineName:
    Type: String
    Description: Pipeline Name (Lower case only, since S3 bucket names can only have lowercase)
    Default: skynet
  GitHubOwner:
    Type: String
    Description: GitHub Owner/Username
  GitHubRepo:
    Type: String
    Description: GitHub Repo
    Default: '2359media/skynet'
  GitHubBranch:
    Type: String
    Description: GitHub Branch
    Default: master
  GitHubToken:
    Type: String
    Description: GitHub Token
    NoEcho: true

Resources:
  Pipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      Name: !Ref PipelineName
      RoleArn: !GetAtt [PipelineRole, Arn]
      ArtifactStore:
        Location: !Ref PipelineArtifactStore
        Type: S3
      DisableInboundStageTransitions: []
      Stages:
        - Name: GitHubSource
          Actions:
          - Name: Source
            ActionTypeId:
              Category: Source
              Owner: ThirdParty
              Version: 1
              Provider: GitHub
            Configuration:
              Owner: !Ref GitHubOwner
              Repo: !Ref GitHubRepo
              Branch: !Ref GitHubBranch
              OAuthToken: !Ref GitHubToken
            OutputArtifacts:
              - Name: SourceCode
        - Name: Build
          Actions:
          - Name: Lambda
            InputArtifacts:
              - Name: SourceCode
            OutputArtifacts:
              - Name: LambdaPackage
            ActionTypeId:
              Category: Build
              Owner: AWS
              Version: 1
              Provider: CodeBuild
            Configuration:
              ProjectName: !Ref CodeBuildLambda
        - Name: Deploy
          Actions:
          - Name: Lambda
            InputArtifacts:
              - Name: LambdaPackage
            OutputArtifacts:
              - Name: LambdaDeployment
            ActionTypeId:
              Category: Deploy
              Owner: AWS
              Version: 1
              Provider: CloudFormation
            Configuration:
              ActionMode: CHANGE_SET_REPLACE
              RoleArn: !GetAtt [CloudFormationRole, Arn]
              StackName: !Ref AWS::StackName
              TemplatePath: 'Template::lambda/sam.yml'

  CodeBuildLambda:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Sub '${PipelineName}-lambda'
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/nodejs:7.0.0
        Type: LINUX_CONTAINER
        EnvironmentVariables:
          - Name: S3_BUCKET
            Value: !Ref PipelineArtifactStore
      ServiceRole: !Ref CodeBuildRole
      Source:
        BuildSpec: 'lambda/buildspec.yml'
        Type: CODEPIPELINE

  PipelineArtifactStore:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub '${PipelineName}-pipeline-artifacts'
      VersioningConfiguration:
        Status: Enabled

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-codebuild'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: codebuild.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub '${PipelineName}-codebuild'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*'
                Action:
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              - Effect: Allow
                Resource:
                  - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*'
                  - !Sub
                    - '${PipelineArtifactStoreArn}/*'
                    - {PipelineArtifactStoreArn: !GetAtt [PipelineArtifactStore, Arn]}
                Action:
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:PutObject'

  CloudFormationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-cloudformation'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: cloudformation.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'
      Policies:
        - PolicyName: !Sub '${PipelineName}-cloudformation'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource: '*'
                Action:
                - 's3:GetObject'
                - 's3:GetObjectVersion'
                - 's3:GetBucketVersioning'
              - Effect: Allow
                Resource: 'arn:aws:s3:::codepipeline*'
                Action:
                - 's3:PutObject'
              - Effect: Allow
                Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'
                Action:
                - 'lambda:*'
              - Effect: Allow
                Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::*'
                Action:
                - 'apigateway:*'
              - Effect: Allow
                Resource: !Sub 'arn:aws:iam::${AWS::Region}:role/*'
                Action:
                - 'iam:GetRole'
                - 'iam:CreateRole'
                - 'iam:DeleteRole'
                - 'iam:AttachRolePolicy'
                - 'iam:DetachRolePolicy'
              - Effect: Allow
                Resource: '*'
                Action:
                - 'iam:PassRole'
              - Effect: Allow
                Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31'
                Action:
                - 'cloudformation:CreateChangeSet'

  PipelineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-pipeline'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action: ['sts:AssumeRole']
          Effect: Allow
          Principal:
            Service: [codepipeline.amazonaws.com]
      Path: /
      Policies:
        - PolicyName: SkynetPipeline
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                - 's3:GetObject'
                - 's3:GetObjectVersion'
                - 's3:GetBucketVersioning'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 's3:PutObject'
                Effect: 'Allow'
                Resource:
                - !GetAtt [PipelineArtifactStore, Arn]
              - Action:
                - 'codecommit:CancelUploadArchive'
                - 'codecommit:GetBranch'
                - 'codecommit:GetCommit'
                - 'codecommit:GetUploadArchiveStatus'
                - 'codecommit:UploadArchive'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'codedeploy:CreateDeployment'
                - 'codedeploy:GetApplicationRevision'
                - 'codedeploy:GetDeployment'
                - 'codedeploy:GetDeploymentConfig'
                - 'codedeploy:RegisterApplicationRevision'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'elasticbeanstalk:*'
                - 'ec2:*'
                - 'elasticloadbalancing:*'
                - 'autoscaling:*'
                - 'cloudwatch:*'
                - 's3:*'
                - 'sns:*'
                - 'cloudformation:*'
                - 'rds:*'
                - 'sqs:*'
                - 'ecs:*'
                - 'iam:PassRole'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'lambda:InvokeFunction'
                - 'lambda:ListFunctions'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'opsworks:CreateDeployment'
                - 'opsworks:DescribeApps'
            - 'opsworks:DescribeCommands'
            - 'opsworks:DescribeDeployments'
            - 'opsworks:DescribeInstances'
            - 'opsworks:DescribeStacks'
            - 'opsworks:UpdateApp'
            - 'opsworks:UpdateStack'
            Effect: 'Allow'
            Resource: '*'
          - Action:
            - 'cloudformation:CreateStack'
            - 'cloudformation:DeleteStack'
            - 'cloudformation:DescribeStacks'
            - 'cloudformation:UpdateStack'
            - 'cloudformation:CreateChangeSet'
            - 'cloudformation:DeleteChangeSet'
            - 'cloudformation:DescribeChangeSet'
            - 'cloudformation:ExecuteChangeSet'
            - 'cloudformation:SetStackPolicy'
            - 'cloudformation:ValidateTemplate'
            - 'iam:PassRole'
            Effect: 'Allow'
            Resource: '*'
          - Action:
            - 'codebuild:BatchGetBuilds'
            - 'codebuild:StartBuild'
            Effect: 'Allow'
            Resource: '*'
1

1 Answers

5
votes

It appears that there might be a slight difference between the value you're giving the role, and the value it's expecting.

It appears that you're creating a role with the name based on ${PipelineName}-codebuild, which seems to resolve to skynet-codebuild, so based on this, your PipelineName is skynet. In your Policy, you're giving access to logs:CreateLogGroup for the resource arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}. From what I can gleen from your error should be arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet:log-stream:..., but in reality is arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:...

Is it possible that your CodeBuild project is actually called ${PipelineName}-lambda? One way you might be able to get around this more easily is to use a statement in your policy like:

- Effect: Allow
  Resource:
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*'
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*/*'
  Action:
  - 'logs:CreateLogGroup'
  - 'logs:CreateLogStream'

which should allow your CodeBuild to create LogGroups and LogStreams where the CodeBuild starts with the name of the PipelineName-.

Update: Thanks for the full CloudFormation Template. As expected, your CodeBuild project is named ${PipelineName}-lambda, which is why your policy doesn't match up. If you want to authorize creating logs for just that project, you will want to replace your statement with the following:

- Effect: Allow
  Resource:
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda'
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda/*'
  Action:
  - 'logs:CreateLogGroup'
  - 'logs:CreateLogStream'