I try to create an AWS CodePipeline that will trigger and pull files from my GITHUB repo whenever there is a commit and then build & deploy to my ECS using CodeBuild.
I managed to create a CodeBuild that takes the files, builds a docker and tag + push it to the ECR and it's working perfectly fine.
BUT - when I try to use this CodeBuild project (which is working definitely OK manually) in my CodePipeline I receive an error. CLIENT_ERROR: AccessDenied: Access Denied status code: 403, request id: MRKXFJDHM0ZJF1F6, host id: C6ds+Gg//r7hxFtBuwwpOPfPPcLbywL5AEWkXixCqfdNbjuFOo4zKEqRx6immShnCNK4VgIyJTs= for primary source and source version arn:aws:s3:::codepipeline-us-east-1-805870671912/segev/SourceArti/Qm4QUD8
I understand it has some connection with the S3 bucket but I can not understand this error. Policies/roles are fine I guess.
Any idea why manually building is working OK and when the pipeline triggers the build I get this error?
Make sure the role associated to your CodePipeline has read&write permissions to your artifact S3, which from the error I can tell is arn:aws:s3:::codepipeline-us-east-1-805870671912
Check the docs about artifacts in CodePipeline:
https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome-introducing-artifacts.html
Greetings.
Related
I am trying to run a bitbucket pipeline to deploy to AWS using my own ECR image. Atlassian documentation is suspect as best, but these are the links:
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/#Using-claims-in-ID-tokens-to-limit-access-to-the-IAM-role-in-AWS
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/#Configure-Bitbucket-Pipelines-as-a-Web-Identity-Provider-on-AWS
Heres what i have done:
Configured OIDC provider connector in AWS IAM
I have create the IAM role and added the trust relationship:
I have then configured my bitbucket-pipeline.ynl file with the following:
The iam role also has full admin permissions.
When i run the pipeline, it runs fine but fails without any error message:
Its not an ECR image cloning error as i had these before ans resolve it, so why is this now failing? This bitbucket pipeline configuration is working in other pipelines (using a different image) so i cant see anything wrong?
Any idea please?
I have a build pipeline that has a source of AWS Code Commit. When there is a commit, this runs a build script in AWS Code Build that builds the project, builds a docker image and pushes into ECR. The final stage deploys the docker image into an ECS cluster in a different region which fails with the following error:
Replication of artifact 'BuildArtifact' failed: Failed replicating artifact from bucket 1 in region 1 to bucket 2 in region 2: Check source and destination artifact buckets exist and pipeline role has permission to access it.
Bucket 1 does have the artifact in it, but bucket 2 is empty. I have tried giving the code pipeline role full access to S3, but didn't change anything. There is nothing in cloud trail regarding the error. This question discuses a similar issue but I believe this is no longer relevant as the way cross region deployments work has changed since then. I have tried re-creating the pipeline (with the same parameters) but this still gives the same error. Perhaps there is some additional permission it needs that AWS didn't create.
If anybody could tell me how to fix, or debug this issue, it would be appreciated.
Thanks,
Adam
I have migrated existing AWS Resources from one Cloudformation (CFT) stack to another CFT stack using below link.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-new-stack.html
After migration, my new CFT stack's status was "IMPORT_COMPLETE". Then I have created an AWS CodePipeline wherein my source is AWS CodeCommit and I am trying to deploy it in Cloudformation stack using CodePipeline.
In my CodePipeline I am using my new CFT stack where I have migrated my existing AWS resources and in the same template I have updated my code by added SQS queue policy and uploaded the code in CodeCommit.
So, when my AWS CodePipeline is getting triggered it is getting failed with "InternalFailure" error and it is not giving any specific error about why it is getting failed.
Also, I have checked into CloudTrail logs and there I can see my pipeline is getting failed after "UploadArchive" event which belongs to CodeCommit and it is nor moving further. Also, I tried to give administrator permission to my pipeline service role as well as cloudformation role but still the error is same.
Later, one thing I observed and that is when I update my new Cloudformation stack using AWS Cloudformation console then my stack's status is changing to "Update_Complete" status. Then after that if I try to update the code into CodeCommit then my pipeline is getting completed successfully.
So, not sure why my Pipeline is getting failed with "InternalFailure" when my stacks status is "IMPORT_COMPLETE". Could you please help me to understand if I am missing any specific step die to which my pipeline is getting failed with this error when my CFT stacks status is "IMPORT_COMPLETE" status
It's a bug in codepipeline. I'd recommend submitting at ticket to them in hopes they make a fix. I only found this out via support myself.
I was trying to build a simple serverless web app in AWS. So, I put my static files in codecommit and tried to host it through AWS Amplify.The AWS builds the amplify.yml for us by default, but it is failing in the build stage. I understood that there is something wrong in amplify.yml and am not getting how to configure it.
amplify.yml :
version: 1
frontend:
phases:
# IMPORTANT - Please verify your build commands
build:
commands: []
artifacts:
# IMPORTANT - Please verify your build output directory
baseDirectory: /
files:
- '**/*'
cache:
paths: []
error I was shown:
2021-01-23T15:01:54.840Z [INFO]: # Cloning repository: https://git-codecommit.us-east-
2.amazonaws.com/v1/repos/wildrydes-site
2021-01-23T15:01:55.176Z [INFO]: Cloning into 'wildrydes-site'...
2021-01-23T15:02:02.660Z [INFO]: fatal: unable to access 'https://git-codecommit.us-east-
2.amazonaws.com/v1/repos/wildrydes-site/': The requested URL returned error: 403
With the limited amount of information provided, the best I can offer is the issue is somewhere in your IAM privileges for your CodeCommit user. AWS components generally need to have the appropriate Group, Role, and/or Policy to complete the action.
Put another way: CodeCommit is giving a 403 Forbidden error because whatever is attempting doing the cloning doesn't have the right permissions. Give it the right permissions.
You can find the execution role that Amplify uses to run its builds by navigating to AWS Amplify > General (in the left-hand column). Under the Settings section, you'll see a value for the "Service role" field. It will look something like this: "arn:aws:iam:::role/service-role/AWSAmplifyExecutionRole-xxxx".
Once you find that, navigate to IAM > Roles and search for the service role that you just found (AWSAmplifyExecutionRole-xxxx) and click on it. Then click "Attach policies". Search for the "AWSCodeCommitReadOnly" policy and attach it to the role.
You should be able to clone your CodeCommit repository in your Amplify build now.
I have a 3 stage CodePipeline on AWS.
Source: Checks out upon commit a specific branch of CodeCommit (success)
Build: Runs some tests on a docker image via CodeBuild (success)
Deploy: Performs a deployment on a deployment group (a.k.a. some specifically tagged EC2 instances) via CodeDeploy (failure).
Step 3 fails with
Unable to access the artifact with Amazon S3 object key
'someitem-/BuildArtif/5zyjxoZ' located in the Amazon S3
artifact bucket 'codepipeline-eu-west-1-somerandomnumber'. The provided
role does not have sufficient permissions.
Which role is the later referring to?
The service role of CodePipeline or the service role of CodeDeploy?
I am almost certain I have attached the appropriate policies to both though ...
Here is a snippet of my CodePipeline service role
try to give "CodeDeploy" policy with full access, it should work.
This could also be due to the actual BuildArtifact not existing. Check the specified path in your S3 bucket to see whether the object actually exists. CodePipeline just gives CodeDeploy a reference to an artifact it thinks has been built and uploaded, but it doesn't really know.
This issue is not related to the Roles assigned to either Codepipeline or Codebuild. If you investigate you would find that in the S3 bucket 'codepipeline-eu-west-1-somerandomnumber', there is no folder "BuildArtif" and certainly no file - "5zyjxoZ".
The issue is that Codebuild is not sending any artifact to Codedeploy, change the 'Input artifacts' for Codebuild to the output of the Source stage of the Pipeline and the issue would be resolved.
The error message should be referring to the CodeDeploy role. The CodeDeploy action passes the S3 artifact by reference to CodeDeploy, so the CodeDeploy role needs to have read access to the CodePipeline artifact.