Search code examples
amazon-iamamazon-ecsaws-code-deployaws-codepipeline

The provided role does not have sufficient permissions to access CodeDeploy

I am implementing CodePipeline; using GitHub, CodeBuild and Amazon ECS (blue/green). The role I am using, is the one generated by the Pipeline: ecsTaskExecutionRole

When generated, it is equipped with the following policies: AmazonECSTaskExecutionRolePolicy (containing the following actions):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*"
    }
]}

And the following Trust relationships:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codebuild.amazonaws.com",
          "ecs-tasks.amazonaws.com",
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Given that the role is auto-generated, one would assume that either it would have ALL the necessary permissions (for the pipeline to function) OR AWS would have a guide on which permissions to assign (to either a policy OR the trust relationship configuration).

Despite, updating the trust relationship to include: 

"Service": [
      "codebuild.amazonaws.com",
      "ecs-tasks.amazonaws.com",
      "ec2.amazonaws.com",
      "codedeploy.amazonaws.com",
      "codepipeline.amazonaws.com",
      "s3.amazonaws.com"
    ]

I still get the error: enter image description here

I have seen this issue raised in multiple blogs/forum, spanning the past 1-2 years; it's incredible that this is still not properly documented as part of the AWS tutorials (or relative blogs).

Solution

  • "The provided role does not have sufficient permissions to access CodeDeploy"

    This error suggests the CodePipeline role is missing "codedeploy:" related permissions.

    Can you please add 

    codedeploy:*

    to the role and try again.

    If you do not want to add all CodeDeploy permissions, you will need to investigate 'AccessDenied' calls in Cloudtrail and allow just those. Usually these are the required ones:

    {
      "Action": [
        "codedeploy:CreateDeployment",
        "codedeploy:GetApplicationRevision",
        "codedeploy:GetApplication",
        "codedeploy:GetDeployment",
        "codedeploy:GetDeploymentConfig",
        "codedeploy:RegisterApplicationRevision"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },

    The default "CodePipeline Service Role Policy" is documented here:

    [1] Manage the CodePipeline Service Role - Review the Default CodePipeline Service Role Policy - https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy