I have a 3 stage CodePipeline on AWS.
Source: Checks out upon commit a specific branch of CodeCommit (success)
Build: Runs some tests on a docker image via CodeBuild (success)
Deploy: Performs a deployment on a deployment group (a.k.a. some specifically tagged EC2 instances) via CodeDeploy (failure).
Step 3 fails with
Unable to access the artifact with Amazon S3 object key
'someitem-/BuildArtif/5zyjxoZ' located in the Amazon S3
artifact bucket 'codepipeline-eu-west-1-somerandomnumber'. The provided
role does not have sufficient permissions.
Which role is the later referring to?
The service role of CodePipeline or the service role of CodeDeploy?
I am almost certain I have attached the appropriate policies to both though ...
Here is a snippet of my CodePipeline service role
try to give "CodeDeploy" policy with full access, it should work.
This could also be due to the actual BuildArtifact not existing. Check the specified path in your S3 bucket to see whether the object actually exists. CodePipeline just gives CodeDeploy a reference to an artifact it thinks has been built and uploaded, but it doesn't really know.
This issue is not related to the Roles assigned to either Codepipeline or Codebuild. If you investigate you would find that in the S3 bucket 'codepipeline-eu-west-1-somerandomnumber', there is no folder "BuildArtif" and certainly no file - "5zyjxoZ".
The issue is that Codebuild is not sending any artifact to Codedeploy, change the 'Input artifacts' for Codebuild to the output of the Source stage of the Pipeline and the issue would be resolved.
The error message should be referring to the CodeDeploy role. The CodeDeploy action passes the S3 artifact by reference to CodeDeploy, so the CodeDeploy role needs to have read access to the CodePipeline artifact.
Related
If a Codebuild project runs on a custom image that has awscli preinstalled, but not configured for that AWS account, would it be still possible to run aws * in that project's buildspec without updating its AWS credentials there first?
In other words, are these credentials made available by Codebuild (e.g. via providing this information in automatically picked up environment variables) , or if I am using a custom image, it is up to me to take care of that explicitly, and aws * is only expected to work in buildspec out of the box without additional efforts on Codebuild managed images?
(I mean configuration/credentials for the account and role the Codebuild project in question operates in)
When you attach an IAM service role with your AWS Codebuild project, you don't need to configure AWS cli. IAM service role is part of environment configuration and this role will be assumed whenever you try to access resources in AWS. This goes same for your custom image for AWS Codebuild as well.
I have a build pipeline that has a source of AWS Code Commit. When there is a commit, this runs a build script in AWS Code Build that builds the project, builds a docker image and pushes into ECR. The final stage deploys the docker image into an ECS cluster in a different region which fails with the following error:
Replication of artifact 'BuildArtifact' failed: Failed replicating artifact from bucket 1 in region 1 to bucket 2 in region 2: Check source and destination artifact buckets exist and pipeline role has permission to access it.
Bucket 1 does have the artifact in it, but bucket 2 is empty. I have tried giving the code pipeline role full access to S3, but didn't change anything. There is nothing in cloud trail regarding the error. This question discuses a similar issue but I believe this is no longer relevant as the way cross region deployments work has changed since then. I have tried re-creating the pipeline (with the same parameters) but this still gives the same error. Perhaps there is some additional permission it needs that AWS didn't create.
If anybody could tell me how to fix, or debug this issue, it would be appreciated.
Thanks,
Adam
I have 2 AWS account:
Account A: Codepipeline
Account B: S3 containing zip
The requirement is such that the codepipeline in account A will need S3 zip file as source stage from Account B.
Also the codepipeline should detect changes in the S3 path whenever there is a new zip file and invoke the pipeline.
Can anyone help me with the cross account roles and steps required in the above process please.
Create a pipeline in CodePipeline that uses resources from another AWS account -- https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
I am exploring CodeStar using a basic project created with the Python 3.7 Lambda template following the Serverless Project Tutorial in the AWS CodeStar documentation:
https://docs.aws.amazon.com/codestar/latest/userguide/sam-tutorial.html
My build and deploy are successful. However a see a warning in my CloudFormation event log:
The IAM user doesn't allow CloudFormation to call lambda:GetAlias, this could result in formulating a appspec file with stale CurrentVersion for CodeDeploy deployment. Please fix it to avoid any possible CodeDeploy deployment failures.
I am just using the AWS resources created automatically by the CodeStar console.
What do I do to fix this warning?
Details
The CodeDeploy step in the CodePipeline deploys the lambda function by updating a CloudFormation stack named: awscodestar-<codestar project name>-lambda.
When I looked in the event log for this stack, I noticed the above warning for the resource named HelloWorldAliaslive
To fix this, add the lambda:GetAlias permission to the inline policy associated with the IAM role named CodeStarWorker-<project>-CloudFormation
Open the AWS Console for CodeStar
Click Project in the left navbar
Find the Project Resources section. One of the AWS IAM resources will have a name CodeStarWorker-<project>-CloudFormation. Click the link in the ARN column of the table to open the role in IAM.
Locate the inline policy named CodeStarWorkerCloudFormationRolePolicy and click the Edit button.
Add the "lambda:GetAlias" action to this policy.
This policy is created automatically by CodeStar. In my account, the policy included several Statements. I chose to add the "lambda:GetAlias" action to the statement which already had "lambda:CreateAlias" action.
After making this change, the warning no longer appeared in my CloudFormation event logs.
I am trying to set up a Continuous Integration pipeline for my simple AWS lambda function. To confess, the is my very first time using AWS code pipeline. I am having trouble with setting up the pipeline. The deploy stage in the pipeline is failing.
I created a CodeBuild
Then I created an application in CodeDeploy
Then I created a CodePipeline choosing the source as GitHub. The selected a repository and branch from the GitHub. Then linked the pipeline with the CodeDeploy application and CodeBuild I previously created.
After I save the pipeline and when the pipeline is built, I am getting this error.
When I check the error details, it says this
Unable to access the artifact with Amazon S3 object key 'the-goodyard-pipelin/BuildArtif/G12YurC' located in the Amazon S3 artifact bucket 'codepipeline-us-east-1-820116794245'. The provided role does not have sufficient permissions.
Basically, that Bucket does not exist as well. Isn't the Bucket created automatically? What went wrong with my set up?
The Bucket exist as well. It is just throwing error.
In the bucket, I can see the zip file as well.
Well, the error message looks self explanatory, the role you assigned to codebuild doesn't have enough access to go to s3.
Go to codebuild -> Build projects - > Choose your project -> Click on tab 'Build Details'.
You will see a 'Service Role' ARN, that if you click on it, it will send you to that IAM role (if you are not an admin for that account, you may not have enough permissions to see IAM, as it is a critical permission service, so check this with the admin.)
Check the policies for that role, and check if the policies have the action: s3:GetObject on resource: your bucket.
If it doesn't, then you need to add it. Use the visual editor, use S3 as service, add Get* as action, and your s3 bucket to it.