CodeDeploy step of CodePipeline because of insufficient role permissions

4
votes

I have a 3 stage CodePipeline on AWS.

  1. Source: Checks out upon commit a specific branch of CodeCommit (success)

  2. Build: Runs some tests on a docker image via CodeBuild (success)

  3. Deploy: Performs a deployment on a deployment group (a.k.a. some specifically tagged EC2 instances) via CodeDeploy (failure).

Step 3 fails with

Unable to access the artifact with Amazon S3 object key 'someitem-/BuildArtif/5zyjxoZ' located in the Amazon S3 artifact bucket 'codepipeline-eu-west-1-somerandomnumber'. The provided role does not have sufficient permissions.

Which role is the later referring to?

The service role of CodePipeline or the service role of CodeDeploy?

I am almost certain I have attached the appropriate policies to both though ...

Here is a snippet of my CodePipeline service role

enter image description here

4
amazon-web-servicesamazon-iamaws-code-deployaws-codepipeline
I'm guessing it's the CodeDeploy role, since it's the CodePipeline that put the artifact into the bucket (although it doesn't necessarily mean it can also get it back).Milan Cermak
This is due to artifact not being created. Refer this answer(stackoverflow.com/a/60983084/4842112) and article - medium.com/@shanikae/…Shanika Ediriweera

4 Answers

2
votes

try to give "CodeDeploy" policy with full access, it should work.

1
votes

This could also be due to the actual BuildArtifact not existing. Check the specified path in your S3 bucket to see whether the object actually exists. CodePipeline just gives CodeDeploy a reference to an artifact it thinks has been built and uploaded, but it doesn't really know.

1
votes

This issue is not related to the Roles assigned to either Codepipeline or Codebuild. If you investigate you would find that in the S3 bucket 'codepipeline-eu-west-1-somerandomnumber', there is no folder "BuildArtif" and certainly no file - "5zyjxoZ".

The issue is that Codebuild is not sending any artifact to Codedeploy, change the 'Input artifacts' for Codebuild to the output of the Source stage of the Pipeline and the issue would be resolved.

0
votes

The error message should be referring to the CodeDeploy role. The CodeDeploy action passes the S3 artifact by reference to CodeDeploy, so the CodeDeploy role needs to have read access to the CodePipeline artifact.