CodeDeploy step of CodePipeline because of insufficient role permissions

Question

I have a 3 stage CodePipeline on AWS.

Source: Checks out upon commit a specific branch of CodeCommit (success)
Build: Runs some tests on a docker image via CodeBuild (success)
Deploy: Performs a deployment on a deployment group (a.k.a. some specifically tagged EC2 instances) via CodeDeploy (failure).

Step 3 fails with

Unable to access the artifact with Amazon S3 object key 'someitem-/BuildArtif/5zyjxoZ' located in the Amazon S3 artifact bucket 'codepipeline-eu-west-1-somerandomnumber'. The provided role does not have sufficient permissions.

Which role is the later referring to?

The service role of CodePipeline or the service role of CodeDeploy?

I am almost certain I have attached the appropriate policies to both though ...

Here is a snippet of my CodePipeline service role

I'm guessing it's the CodeDeploy role, since it's the CodePipeline that put the artifact into the bucket (although it doesn't necessarily mean it can also get it back). — Milan Cermak, Feb 07 '19 at 14:00
This is due to artifact not being created. Refer this answer(https://stackoverflow.com/a/60983084/4842112) and article - https://medium.com/@shanikae/insufficient-permissions-unable-to-access-the-artifact-with-amazon-s3-247f27e6cdc3 — Shanika Ediriweera, Apr 02 '20 at 01:58

Dharmendra Singh Negi · Answer 1 · 2019-02-08T07:36:21.473

2

try to give "CodeDeploy" policy with full access, it should work.

edited Feb 08 '19 at 07:36

answered Feb 07 '19 at 16:45

Dharmendra Singh Negi

393
1
12

score 1 · Answer 2 · answered Jul 18 '19 at 17:14

This could also be due to the actual BuildArtifact not existing. Check the specified path in your S3 bucket to see whether the object actually exists. CodePipeline just gives CodeDeploy a reference to an artifact it thinks has been built and uploaded, but it doesn't really know.

score 1 · Answer 3 · answered Feb 21 '20 at 08:05

This issue is not related to the Roles assigned to either Codepipeline or Codebuild. If you investigate you would find that in the S3 bucket 'codepipeline-eu-west-1-somerandomnumber', there is no folder "BuildArtif" and certainly no file - "5zyjxoZ".

The issue is that Codebuild is not sending any artifact to Codedeploy, change the 'Input artifacts' for Codebuild to the output of the Source stage of the Pipeline and the issue would be resolved.

score 0 · Answer 4 · answered Feb 08 '19 at 04:17

0

The error message should be referring to the CodeDeploy role. The CodeDeploy action passes the S3 artifact by reference to CodeDeploy, so the CodeDeploy role needs to have read access to the CodePipeline artifact.

answered Feb 08 '19 at 04:17

Aaron

1,575
10
18

CodeDeploy step of CodePipeline because of insufficient role permissions

4 Answers4