AWS: IAM Policy for CodePipeline?

Question

No matter how open an IAM policy I give to my CodePipeline role, my CodeBuild step always fails with Access Denied in the DOWNLOAD_SOURCE phase. The build works fine when I run manually from CodeBuild.

I have literally granted this policy to the CodePipeline service role, and the pipeline still fails:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Has anyone else encountered a similar problem? Where should I be looking to fix this?

Sudharsan Sivasankaran Sudharsan Sivasankaran · Accepted Answer · 2018-02-25T02:38:13

The first place I'd look is your CodeBuild service role, make sure it has something like the following in the policy:

{
      "Sid": "S3GetObjectPolicy",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "*"
      ]
    },

AWS: IAM Policy for CodePipeline?

1 Answers