I was trying to build a simple serverless web app in AWS. So, I put my static files in codecommit and tried to host it through AWS Amplify.The AWS builds the amplify.yml for us by default, but it is failing in the build stage. I understood that there is something wrong in amplify.yml and am not getting how to configure it.
amplify.yml :
version: 1
frontend:
phases:
# IMPORTANT - Please verify your build commands
build:
commands: []
artifacts:
# IMPORTANT - Please verify your build output directory
baseDirectory: /
files:
- '**/*'
cache:
paths: []
error I was shown:
2021-01-23T15:01:54.840Z [INFO]: # Cloning repository: https://git-codecommit.us-east-
2.amazonaws.com/v1/repos/wildrydes-site
2021-01-23T15:01:55.176Z [INFO]: Cloning into 'wildrydes-site'...
2021-01-23T15:02:02.660Z [INFO]: fatal: unable to access 'https://git-codecommit.us-east-
2.amazonaws.com/v1/repos/wildrydes-site/': The requested URL returned error: 403
With the limited amount of information provided, the best I can offer is the issue is somewhere in your IAM privileges for your CodeCommit user. AWS components generally need to have the appropriate Group, Role, and/or Policy to complete the action.
Put another way: CodeCommit is giving a 403 Forbidden error because whatever is attempting doing the cloning doesn't have the right permissions. Give it the right permissions.
You can find the execution role that Amplify uses to run its builds by navigating to AWS Amplify > General (in the left-hand column). Under the Settings section, you'll see a value for the "Service role" field. It will look something like this: "arn:aws:iam:::role/service-role/AWSAmplifyExecutionRole-xxxx".
Once you find that, navigate to IAM > Roles and search for the service role that you just found (AWSAmplifyExecutionRole-xxxx) and click on it. Then click "Attach policies". Search for the "AWSCodeCommitReadOnly" policy and attach it to the role.
You should be able to clone your CodeCommit repository in your Amplify build now.
Related
I encountered the following error when launching an AWS VPC from the command line interface following a quickstart guide here.
Commands used:
git clone https://github.com/aws-quickstart/quickstart-aws-biotech-blueprint-cdk.git
cd quickstart-aws-biotech-blueprint-cdk
npm install
npm run build
cdk bootstrap
npm run build && cdk deploy
Error message:
AwsBiotechBlueprint: creating CloudFormation changeset...
11:38:13 AM | CREATE_FAILED | AWS::IAM::Role
| ConfigEnabledPr
omi...corderRoleFC6F886B
Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not
attachable. (Service
: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID:
f03b794e-7aa5-4f24-
899e-2aefaa6e8fb3; Proxy: null)
I am using an IAM user (not Root) and the error appears to indicate that "AWSConfigRole" policy is not associated with my user. To correct this error I added the "AWSConfigRole" permissions through the IAM management console via my web browser.
Unfortunately when I rerun the steps in the quickstart I still encounter the exact same error.
How can I ensure the updated permissions from the IAM management console are being properly communicated to the command line interface?
I still encounter the exact same error.
Because this policy should be setup for IAM role for Config service to assume, not your IAM user. Also AWSConfigRole policy has been long depricated. Now you should be using AWS_ConfigRole instead explaining why it can't be used anymore.
It seems that the template you are deploying is old and not up to date. Its better to make an issue about this to the devs of the template, as they should update it.
I try to create an AWS CodePipeline that will trigger and pull files from my GITHUB repo whenever there is a commit and then build & deploy to my ECS using CodeBuild.
I managed to create a CodeBuild that takes the files, builds a docker and tag + push it to the ECR and it's working perfectly fine.
BUT - when I try to use this CodeBuild project (which is working definitely OK manually) in my CodePipeline I receive an error. CLIENT_ERROR: AccessDenied: Access Denied status code: 403, request id: MRKXFJDHM0ZJF1F6, host id: C6ds+Gg//r7hxFtBuwwpOPfPPcLbywL5AEWkXixCqfdNbjuFOo4zKEqRx6immShnCNK4VgIyJTs= for primary source and source version arn:aws:s3:::codepipeline-us-east-1-805870671912/segev/SourceArti/Qm4QUD8
I understand it has some connection with the S3 bucket but I can not understand this error. Policies/roles are fine I guess.
Any idea why manually building is working OK and when the pipeline triggers the build I get this error?
Make sure the role associated to your CodePipeline has read&write permissions to your artifact S3, which from the error I can tell is arn:aws:s3:::codepipeline-us-east-1-805870671912
Check the docs about artifacts in CodePipeline:
https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome-introducing-artifacts.html
Greetings.
I want to deploy my django project online.
I followed aws doc available at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create-deploy-python-django.html
but when I got to eb create django-env section it gives me the following error
`ERROR: NotAuthorizedError - Operation Denied. Access Denied`
But I noticed in a tutorial in youtube https://www.youtube.com/watch?v=eZOzTFOMh0I at the point of
`eb init -p python-3.8 django-tutotrial`
the aws-access-id was entered. But on the one at aws doc there was nothing provided.
Please how can i go about that. Any help would be appreciated
Update
I have created user roles on my aws account and I already have the credentials on my local machine. but how to put the credentials on the deployment is the issue.
I am trying to deploy the new changes to kubernetes cluster using the Google Cloud Provider CloudBuild. Whenever I make some changes the trigger is working fine and its starting a new build but here is the issue I am getting with this cloudbuild.yaml.
cloudbuild.yaml
steps:
#step1
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image', '.' ]
#step 2
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image']
#step 3 for testing
name: 'gcr.io/cloud-builders/kubectl'
args: ['get', 'pods']
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
#STEP-4
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'
Step 1 and 2 are working fine but the issue is with the step3 where for testing purpose I simply ran the get pods command to test if it will work or not. Here is the issue I am getting in the logs.
Running: gcloud container clusters get-credentials --project="journeyfoods-io" --zone="us-central1-a" "cloudbuild-test"
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/XXXX/zones/us-central1-a/clusters/cloudbuild-test".
What permissions is it looking for? Do I need to do some
authentication before running the steps or What exactly am I missing?
The steps of a Cloud Build build are executed using with the [PROJECT_NUMBER]#cloudbuild.gserviceaccount.com service account. From the Cloud Build documentation page about this topic:
When you enable the Cloud Build API, the service account is
automatically created and granted the Cloud Build Service Account role
for your project. This role is sufficient for several tasks,
including:
Fetching code from your project's Cloud Source Repository
Downloading files from any Cloud Storage bucket owned by your project
Saving build logs in Cloud Logging
Pushing Docker images to Container Registry
Pulling base images from Container Registry
But this service account does not have permissions for certain actions by default ( in particular the container.clusters.get permission is not grated by default). So you need to grant it with a proper IAM role. In your case the Kubernetes Engine Developer role contains the container.clusters.get permission as you can see in this page.
I have entered AWS credentials in Jenkins at /credentials, however they do not show up in the drop down list for the Post Build steps in the AWS Elastic Beanstalk plugin.
If I click Validate Credentials, I get this strange error.
Failure
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider#5c932b96: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper#32abba7: The requested metadata is not found at http://169.254.169.254/latest/meta-data/iam/security-credentials/]
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136)
I don't know where it got that IP address. When I search for that IP in the Jenkins directory, I turn up with
-bash-4.2$ grep -r 169.254.169.254 *
plugins/ec2/AMI-Scripts/ubuntu-init.py:conn = httplib.HTTPConnection("169.254.169.254")
The contents of that file is here: https://pastebin.com/3ShanSSw
There are actually 2 different Amazon Elastic Beanstalk plugins.
AWSEB Deployment Plugin, v 0.3.19, Aldrin Leal
AWS Beanstalk Publisher Plugin, v 1.7.4, David Tanner
Neither of them work. Neither will display the credentials in the drop down list. Since updating Jenkins, I am unable to even show "Deploy to Elastic Beanstalk" as a post-build step for the first one (v0.3.19) even though it is the only one installed.
For the 2nd plugin (v1.7.4), I see this screen shot:
When I fill in what I can, and run it, it gives the error
No credentials provided for build!!!
Environment found (environment id='e-yfwqnurxh6', name='appenvironment'). Attempting to update environment to version label 'sprint5-13'
'appenvironment': Attempt 0/5
'appenvironment': Problem:
com.amazonaws.services.elasticbeanstalk.model.AWSElasticBeanstalkException: No Application Version named 'sprint5-13' found. (Service: AWSElasticBeanstalk; Status Code: 400; Error Code: InvalidParameterValue; Request ID: af9eae4f-ad56-426e-8fe4-4ae75548f3b1)
I tried to add an S3 sub-task to the Elastic Beanstalk deployment, but it failed with an exception.
No credentials provided for build!!!
Root File Object is a file. We assume its a zip file, which is okay.
Uploading file awseb-4831053374102655095.zip as s3://appname-sprint5-15.zip
ERROR: Build step failed with exception
com.amazonaws.services.s3.model.AmazonS3Exception: The XML you provided was not well-formed or did not validate against our published schema (Service: Amazon S3; Status Code: 400; Error Code: MalformedXML; Request ID: 7C4734153DB2BC36; S3 Extended Request ID: x7B5HflSeiIw++NGosos08zO5DxP3WIzrUPkZOjjbBv856os69QRBVgic62nW3GpMtBj1IxW7tc=), S3 Extended Request ID: x7B5HflSeiIw++NGosos08zO5DxP3WIzrUPkZOjjbBv856os69QRBVgic62nW3GpMtBj1IxW7tc=
Jenkins is hopelessly out of date and unmaintained. I added the Post Build Task plugin, installed eb tool as jenkins user, ran eb init in the job directory, edited .elasticbeanstalk/config.yml to add the lines
deploy:
artifact: target/AppName-Sprint5-SNAPSHOT-bin.zip
Then entered in the shell command to deploy the build.
/var/lib/jenkins/.local/bin/eb deploy -l sprint5-${BUILD_NUMBER}
For Eleastic beanstalk plugin right place to configure AWS key is Jenkins Master configure
http://{jenkinsURL}/configure