The provided role does not have sufficient permissions to access CodeDeploy
I am implementing CodePipeline; using GitHub, CodeBuild and Amazon ECS (blue/green). The role I am using, is the one generated by the Pipeline: ecsTaskExecutionRole
When generated, it is equipped with the following policies: AmazonECSTaskExecutionRolePolicy (containing the following actions):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]}
And the following Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
]
},
"Action": "sts:AssumeRole"
}
]
}
Given that the role is auto-generated, one would assume that either it would have ALL the necessary permissions (for the pipeline to function) OR AWS would have a guide on which permissions to assign (to either a policy OR the trust relationship configuration).
Despite, updating the trust relationship to include:
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com",
"codedeploy.amazonaws.com",
"codepipeline.amazonaws.com",
"s3.amazonaws.com"
]
I still get the error:
I have seen this issue raised in multiple blogs/forum, spanning the past 1-2 years; it's incredible that this is still not properly documented as part of the AWS tutorials (or relative blogs).
"The provided role does not have sufficient permissions to access CodeDeploy"
This error suggests the CodePipeline role is missing "codedeploy:" related permissions.
Can you please add
codedeploy:*
to the role and try again.
If you do not want to add all CodeDeploy permissions, you will need to investigate 'AccessDenied' calls in Cloudtrail and allow just those. Usually these are the required ones:
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
The default "CodePipeline Service Role Policy" is documented here:
[1] Manage the CodePipeline Service Role - Review the Default CodePipeline Service Role Policy - https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy
- AWS IAM user not able to see Billing and Cost Management Dashboard
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- What permission am I missing for AWS Glue and Development Endpoint?
- Nested Step Function in a Step Function: Unknown Error: "...not authorized to create managed-rule"
- Unable to retrieve secret from secretsmanager on aws-ec2 using an IAM role
- Is Beanstalk "Create and use new service role" broken?
- Invoking Lambda function from another Lambda function consistently results in a strange HTTP 421 Misdirected Request error
- How is the "cluster creator" user of an AWS EKS cluster mapped to the "system:masters" RBAC group?
- User is not authorized to perform: cloudformation:CreateStack
- AWS CLI Assume Role from Server
- S3 Bucket access denied, even for Administrator
- RDS Proxy successfully connected after that disconnecting by showing "RDS Proxy supports only IAM or MD5 authentication"
- How to setup IAM policy for AWS Lambda in VPC to resolve error "You are not authorized to perform: CreateNetworkInterface."
- How to add S3 BucketPolicy with AWS CDK?
- CloudFront policy to invalidate only specific distribution
- Restrict access to a particular CloudFront distribution using IAM
- No IAM role showing up when scheduling query in redshift serverless from root user
- Confluent-Kafka: no broker available for coordinator query: intervaled in state query-coord
- What IAM permissions are needed to use CDK Deploy?
- Connecting to AWS DocumentDB from an AWS ECS Container using IAM
- Permission problem accessing CodeCommit repository during build phase
- S3 Replication - s3:PutReplicationConfiguration
- Which policy should I assign to my IAM user to invoke a lambda function?
- How to extend sqs queue default policy
- What does s3:x-amz-acl with a value of "bucket-owner-full-control" do/mean?
- AWS Redshift: Masteruser not authorized to assume role
- Error: Not authorized to perform sts:AssumeRoleWithWebIdentity during OIDC when a PR get merged into main
- AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} Policy Variable Access Denied
- How to use AWS_MSK_IAM sasl mechanism with a kafka producer jar?
- How to create aws-ebs-csi-driver with eks_blueprints_addons by Terraform?