AWS IAM access exception with AWS CodePipeline when integrating with BitBucket

2
votes

I am trying to build a Pipeline for our CICD process using AWS CodePipeline. I click on "Create Pipeline", provide a name and use the defaults for the first panel. On the next panel, on selecting "BitBucket(beta)" as the source provider, I get the following access exception:

AccessDeniedException: User: arn:aws:iam::280945876345:user/Roger is not authorized to perform: codestar-connections:ListConnections on resource: arn:aws:codestar-connections:us-west-2:280945876345:*

I went through the documentation and provided full access to CodePipeline, CodeDeploy, CodeStar, CodeBuildAdmin, CloudFormation, AmazonS3, AmazonECS, AWSCodeCommit to the IAM user. I dont find any policies related to codestar-connections:* that I could add. I understand the CodePipeline-BitBucket integration is in Beta phase, but just wanted to check if anyone else had encountered this issue and resolved it.

1
amazon-web-servicesbitbucketamazon-iamaws-codepipeline
You have to add codestar-connections:* to the Roger role.Marcin
Thanks for your response. How do I add codestar-connections:* to the user Roger ? I dont find a policy with that name. I tried creating a policy as shown below: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action" : "codestar-connections:*", "Resource" : "*" }] } I get a message "This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition", which I believe means that service is not available.gsa
One way one of doing this is: Go to IAM->Roles->Roger role. Add inline policy directly to the role. You have to construct the policy yourself. Console should guide you.Marcin
I went ahead and added the codestar-connections* policy to the user and ignored the message that the service is not available. It works now. Thanks for the help.gsa
No problem. I will add an answer for future reference if you don't mind.Marcin

1 Answers

1
votes

Based on the comments, the problem was due to missing permissions to codestar-connections.

The solution was to create an inline policy in the role in question with permissions to codestar-connections:*.