22
votes

Hello I created a codepipeline project with the following configuration:

  • Source Code in S3 pulled from Bitbucket.
  • Build with CodeBuild, generating an docker image and storing it into a Amazon ECS repository.
  • Deployment provider Amazon ECS.

All the process works ok until when it tries to deploy, for some reason I am getting the following error during deployment:

Insufficient permissions Unable to access the artifact with Amazon S3 object key 'FailedScanSubscriber/MyAppBuild/Wmu5kFy' located in the Amazon S3 artifact bucket 'codepipeline-us-west-2-913731893217'. The provided role does not have sufficient permissions.

During the building phase, it is even able to create a new docker image in the ECS repository.

I tried everything, changed IAM roles and policies, add full access to S3, I have even setted the S3 bucket as public, nothing worked. I am without options, if someone could help me that would be wonderful, I have poor experience with AWS, so any help is appreciated.

3

3 Answers

27
votes

I was able to find a solution. The true issue is that when the deployment provider is set as Amazon ECS, we need to generate an output artifact indicating the name of the task definition and the image uri, for example:

post_build:
    commands:
      - printf '[{"name":"your.task.definition.name","imageUri":"%s"}]' $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG > imagedefinitions.json

artifacts:
    files: imagedefinitions.json
8
votes

This happens when AWS CodeDeploy cannot find the build artifact from AWS CodeBuild. If you go into the S3 bucket and check the path you would actually see that the artifact object is NOT THERE!

Even though the error says about a permission issue. This can happen due the absent of the artifact object.

Solution: Properly configure artifacts section in buildspec.yml and configure AWS Codepipeline stages properly specifying input and output artifact names.

artifacts:
  files:
    - '**/*'
  base-directory: base_dir
  name: build-artifact-name
  discard-paths: no

Refer this article - https://medium.com/@shanikae/insufficient-permissions-unable-to-access-the-artifact-with-amazon-s3-247f27e6cdc3

0
votes

For me the issue was that my CodeBuild step was encrypting the artifacts using the Default AWS Managed S3 key.

My Deploy step uses a Cross-Account role, and so it couldn't retrieve the artifact. Once I changed the Codebuild encryption key to my CMK as it should've been originally, my deploy step succeeded.