AWS codebuild fails cant download source when initiated from codepipeline

5
votes

I have a an AWS codebuild job that works fine when I initate manually as a root user.

I have a codepipe line that should initiate the build job when codecommit merges into master. It fires the job and the build start but it fails when trying to download source.

Ive attached full S3/codebuild/codecommit policies to the pipeline, but it still throws access denied.

Which permissions am I missing?

2
amazon-web-servicesaws-codepipelineaws-codebuild
Where exactly do you see access denied and what is the full error message? Is it in the pipeline or inside of the build (i.e. one of the build phases is failing)? CodeBuild uses a separate role (not the pipeline's role) to pull source and upload artifacts to S3.Clare Liguori

2 Answers

11
votes

This generally happens when you have a CodeBuild project already and you integrate it to the CodePipeline project. The Codebuild now does not download the sources from CodeCommit/Github repo. Instead, it will try to dowload the source artifact created in the codepipeline bucket in S3. So, you will need to provide permissions to the CodeBuild role to access the codepipline bucket in S3.

You can do this by modifying Codebuild role's attached policy (or attaching a new policy) that gives access to the following operations

s3:ListObjects
s3:GetObject
s3:ListBucket

for your Codepipeline bucket and its objects

"arn:aws:s3:::codepipeline-bucket",
"arn:aws:s3:::codepipeline-bucket/*"

Or you can just choose to add all operations for this bucket and its object. You can release the changes and it would work. Lmk if it does not.

4
votes

The reason is CodeBuild service role needs permission to access the CodePipeline S3 bucket. To fix it, you can attach an inline policy or modify existing policy to allow these actions to access the objects in your CodePipeline S3 bucket (to specify Resources for the policy)

s3:GetObject
s3:GetObjectVersion
s3:PutObject

This is the policy in json, remember to replace S3-BUCKET-NAME with your actual codepipeline s3 bucket name. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::S3-BUCKET-NAME/*"
        }
    ]
}

To look for the S3 bucket name, you can do the following on AWS console to trace the source of error:

  1. Go to CodeBuild
  2. Select Build projects on left panel
  3. Choose your project, Build history will be displayed
  4. click the Build run item that has failed status
  5. See the error in Build logs if there is
  6. Choose Phase details
  7. CodeBuild most probably failed at DOWNLOAD_SOURCE phase with the following error message: 
CLIENT_ERROR: AccessDenied: Access Denied status code: 403, request id: 
requestId, host id: hostId for primary source and source version 
arn:aws:s3:::S3-BUCKET-NAME/path