I am building an amplify react app and trying to connect it to my private npm packages in my CodeArtifact repository.
In the build file amplify.yml, I added
preBuild:
commands:
- aws codeartifact login --tool npm --repository myrepo --domain mydomain --namespace mynamespace --domain-owner myid
- yarn install
and gave the amplify service role the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
This setup works for CodeBuild building Lambda functions, but in Amplify, I get
Successfully configured npm to use AWS CodeArtifact repository
after the login command and
error An unexpected error occurred: "<some-package-url>: Request failed \"401 Unauthorized\"".
when installing dependencies.
I debugged the environment in amplify build and did not find any AWS access key id or secret, but also don't know why.
Ok I resolved my issue by deleting yarn.lock and adding it to .gitignore.
The problem was, that yarn caches the resolved package address in yarn.lock. That address was in my CodeArtifact repository, because I was logged in while installing dependencies on my dev machine. Since yarn.lock is not in .gitignore by default, I just pushed it into the build. When yarn installs dependencies in build, it uses the cached addresses, which can't be reached anymore.
Related
My project uses a library from AWS CodeArtifact. I can fetch the library and build the project in my local and in the github build. When the AWS CodePipeline runs in our Dev environment, CodeArtifact returns a 401 when trying to access the library.
I updated the IAM role running the Pipeline so that it has these actions:
{
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
I updated the Repository Policy to include this IAM role. The Repository Policy has these actions:
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetPackageVersionAssets",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackages",
"codeartifact:PublishPackageVersion",
"codeartifact:PutPackageMetadata",
"codeartifact:ReadFromRepository",
"codeartifact:GetAuthorizationToken"
My build.gradle is using the repository as described here and works in my local this way - https://medium.com/#chauyan/use-aws-codeartifact-in-your-project-7bf5d3e0d3dc
I'm guessing it has to do with the way the library was published, maybe it doesn't have the right permissions, but I don't see that the permissions are changeable here. Why am I getting a 401 from CodeArtifact when trying to build the project in CodePipeline?
You have to publish to maven central
Trying to host a web application (html) using server-less approach on AWS Amplify connecting to the AWS CodeCommit repository(where the html code version history is maintained). Save and Deploy app on Amplify is failing in 'Build' step and is returning the following error:
2020-08-17T01:32:37.631Z [INFO]: Cloning into 'Test'...
2020-08-17T01:32:42.406Z [INFO]: fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/Test/': The requested URL returned error: 403
2020-08-17T01:32:42.409Z [ERROR]: !!! Unable to clone repository
Steps followed: https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-1/
The step-1(Host a static website, in above link) only working if I give the repo name as 'wildrydes-site' exactly. If I jus change the name to something else with all the same files, it doesn't work. Am I missing something here??
If you are getting a 403 error, you could check the policy associated with the service role in IAM. You need to specify the CodeCommit repository within the policy that uses the service role you specified in Amplify.
Amplify App Detail
Service Role Policy
You need to set service role for your app.
If you don't have a service role for amplify backend deployment, you have to create one.
The Amplify Console requires permissions to deploy backend resources with your front end. You use a service role to accomplish this
The following would be helpful.
Adding a service role to the Amplify Console when you connect an app
create role for aws service. select use cases "Amplify" then "Backend Deployment"
go to amplify console. open app settings, general. Set this role for your app's service role
The amplify app is is missing permissions to your git repository. Make sure you connect your AWS Amplify app to your repository in AWS CodeCommit.
Here's an image excerpt:
Please check the auto generated policy "AWSAmplifyExecutionPolicy" created by AWSAmplify in IAM console. The autogenerated AWSAmplifyExecutionPolicy specifies permission to access your repository in CodeCommit. The Resource in the CodeCommit policy, should have the ARN of your repository.
Add a inline policy to give access on Codecommit to clone the repository and check the build code for any further errors.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codecommit:*",
"Resource": "*"
}
]
}
check your role policy json in that check whether this is policy having access of your repo arn
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-south-1:<accountid>:log-group:/aws/amplify/xxxxxx",
"arn:aws:logs:ap-south-1:<accountid>:log-group:/aws/amplify/xxxxxx:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [ // here is your repo arn is required if not not present add it
"arn:aws:codecommit:ap-south-1:<accountid>:<repo_name>",
"arn:aws:codecommit:ap-south-1:<accountid>:<repo_name>"
],
"Action": [
"codecommit:GitPull"
]
}
]
}
I encounter the same issue. As other answer mentioned, there need a role.
I want to give my detail steps:
goto amplify console;
choose the application;
click "general" in "application setting" in the left menu;
click "edit" at the right top;
click "create new role";
In the next page, some items will be choosed automatically, include "AWS production", "Amplify", "Amplify - Backend Deployment";
next and next;
If this procedure failed, try to get more authority or login as admin.
I have a really simple setup for my Serverless application that uses NodeJS. Everything builds just find in Bitbucket Pipelines except for the deployment through the standard command of serverless deploy, where I get the following error message:
User: arn:aws:iam::123456789012:user/bitbucket-build-user is not authorized to perform: cloudformation:DescribeStackResources on resource: arn:aws:cloudformation:my-region: 123456789012:stack/mylambda-dev/*
Locally it works just fine. Here's the Pipelines configuration:
image:
name: mydocker/serverless-docker:latest
username: $MY_DOCKER_HUB_USERNAME
password: $MY_DOCKER_HUB_PASSWORD
email: $MY_DOCKER_HUB_EMAIL
pipelines:
default:
- step:
script:
- npm install
- npm run lint
branches:
master:
- step:
script:
- npm install
- npm run lint
- serverless config credentials --overwrite --provider aws --key $MY_AWS_KEY --secret $MY_AWS_SECRET
- serverless deploy
Is there something I'm missing here?
Since Serverless uses AWS CloudFormation for a full deploy (the one you do with serverless deploy), the bitbucket-build-user has to have certain permissions to manage CloudFormation stacks. So at the bare minimum, you'll need a to attach a policy that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*",
"cloudformation:PreviewStackUpdate",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "*"
}
}
Take a look at https://github.com/serverless/serverless/issues/1439 to get an idea what permissions bitbucket-build-user might need.
Personally, I just use https://github.com/dancrumb/generator-serverless-policy to generate those policies instead of writing them manually every time.
I'm trying to deploy a GitHub project to a EC2 Instance using AWS CodeDeploy. After following 2 video tutorials an a bunch of Google answer, I'm still getting the following error:
2017-02-01 12:20:08 INFO [codedeploy-agent(1379)]: master 1379: Spawned child 1/1
2017-02-01 12:20:09 INFO [codedeploy-agent(1383)]: On Premises config file does not exist or not readable
2017-02-01 12:20:09 INFO [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2017-02-01 12:20:09 INFO [codedeploy-agent(1383)]: Version file found in /opt/codedeploy-agent/.version.
2017-02-01 12:20:09 ERROR [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials - please check if this instance was started with an IAM instance profile
I have two IAM:
CodeDeployInstanceRole
CodeDeployServiceRole
CodeDeployInstanceRole for the EC2 Instance
Policy Name: AmazonEC2RoleforAWSCodeDeploy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Policy Name: AutoScalingNotificationAccessRole
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": "*",
"Action": [
"sqs:SendMessage",
"sqs:GetQueueUrl",
"sns:Publish"
]
}
]
}
Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
CodeDeployServiceRole for CodeDeploy
Policy Name: AWSCodeDeployRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetTags",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": "*"
}
]
}
Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EC2 Instance
I spin my own image that I have created based on Debian so I have NodeJS already installed. When I spin the new instance I also paste the following code in the User data text area to make sure CodeDeploy is installed.
#!/bin/bash -x
REGION=$(curl 169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//') &&
sudo apt-get update -y &&
sudo apt-get install -y python-pip &&
sudo apt-get install -y ruby &&
sudo apt-get install -y wget &&
cd /home/admin &&
wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install &&
chmod +x ./install &&
sudo ./install auto &&
sudo apt-get remove -y wget &&
sudo service codedeploy-agent start
Debugging
If I log in in the EC2 instance that I have create, and execute the following command:
echo $(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)
I get the following response CodeDeployInstanceRole
When I then execute
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/CodeDeployInstanceRole
I get the following response
{
"Code" : "Success",
"LastUpdated" : "2017-02-01T12:38:07Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "THE_KEY",
"SecretAccessKey" : "SECRET",
"Token" : "TOKEN",
"Expiration" : "2017-02-01T19:08:43Z"
}
On GitHub I see that CodeDeploy never accesses my repo even when I select deployment using GitHub, I set the right repo name, and commit ID.
Question
What am I missing?
I ran into the same issue. Briefly what caused the problem:
Launch an instance WITHOUT any roles attached to it
Then install a codedeploy-agent on that machine
Only lastly attach an IAM role to the machine
Result: I get the error: Missing credentials - please check if this instance was started with an IAM instance profile
Solution: restart the codedeploy agent. Use:
sudo service codedeploy-agent restart
The error should be gone now!
I was getting the "please check if this instance was started with an IAM instance profile". To check if your instance is launched without IAM profile go to AWS console -> your instance -> check in Description tab "IAM role" value, if it's empty then you have launched instance without IAM and here is what to do to solve the issue:
Go to IAM console -> Roles -> Create new role
Select AWS Service -> EC2 -> Next: Permissions(don't change anything) -> Next: Tags -> Next: Review -> Give the name and click Create role.
Go to AWS EC2 console -> select instance -> Actions -> Instance settings -> Attach/replace IAM role -> Select IAM role you just created
Restart codedeploy agent: sudo service codedeploy-agent restart
Try to deploy again and it should work
Turns out that by default Debian doesn't have curl installed. Installing curl before making the curl request to get the region the server is running on was the missing part in the Bash script.
The instance role permissions look good to me. But the IAM instance profile was added only at the first time when the instance was launched. Could you make sure the instances role had the right permissions before launching the instances?
This is what worked for me in 2021 on Ubuntu 16.04
Upgrade from Python 3.5.2 to 3.6
https://www.rosehosting.com/blog/how-to-install-python-3-6-on-ubuntu-16-04/
with sudo ...
cd /opt
wget https://www.python.org/ftp/python/3.6.3/Python-3.6.3.tgz
tar -xvf Python-3.6.3.tgz
cd Python-3.6.3
./configure
apt-get install zlib1g-dev
make
make install
Install latest version of aws cli v1
https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html
cd ~
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
Modify Instance Metadata
https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html
aws ec2 modify-instance-metadata-options \
--instance-id ${FOO_ID} \
--http-tokens optional \
--http-endpoint enabled
Install the CodeDeploy agent for Ubuntu Server
https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install-ubuntu.html
sudo apt-get update
sudo apt-get install ruby
sudo apt-get install wget
cd /home/ubuntu
wget https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
sudo service codedeploy-agent restart
sudo service codedeploy-agent status
To view deployment log files on Amazon Linux, RHEL, and Ubuntu Server instances
https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-view-logs.html
tail -f /var/log/aws/codedeploy-agent/codedeploy-agent.log
tail -f /opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent-deployments.log
Detach the profile from EC2 and then attach it back (Actions -> Security). Finally restart the agent with
sudo service codedeploy-agent restart
My case is slightly different from other answers. My profile looks correct and it has correct policy. And the EC2 is attached to the role - at least that what I see in AWS console.
The root cause is that the EC2 do not has a correct profile with it due to some regeneration of the same-name profile role. This can confirmed with curl http://169.254.169.254/latest/meta-data/iam/info
404 means something wrong.
I am trying to download AWS Codedeploy Agent file in my Amazon Linux. I followed instructions as mentioned in http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-run-agent.html, for Amazon Linux, have created appropriate instance profile, service role etc. Everything is latest (Amazon Linux, CLI Packages, it is a brand new instance and I have tried this with at least 3 more brand new instances with same result). All instances have full outbound internet access.
But following statement for downloading install from S3 always fails,
aws s3 cp s3://aws-codedeploy-us-east-1/latest/install . --region us-east-1
With Error,
A client error (403) occurred when calling the HeadObject operation: Forbidden
Completed 1 part(s) with ... file(s) remaining
Can anyone help me with this error?
I figured out the problem, According to Codedeploy documentation for IAM Instance profile
http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-iam-instance-profile.html
following permissions needs to be given to your IAM instance profile.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
But I limited the resource to my code bucket since I don't want my instances to access other buckets directly. But turns out I also need to give additional permission for aws-codedeploy-us-east-1/* s3 resource for being able to download the agent. This is not very clear in the document for setting up IAM instance profile for Codedeploy.
More restrictive policy that works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*"
]
}
]
}