Search code examples
amazon-web-servicesamazon-iamaws-codepipeline

Codepipeline S3 Bucket access denied in Codebuild

Background:

I'm testing a Codepipeline with a source stage containing a Github source and a test stage containing a Codebuild project. The Github source is authenticated with a Codestar connection.

Problem:

When the Codebuild project is triggered via the pipeline, the project is denied access to the associated Codepipeline S3 artifact bucket. Here's the log from the build:

AccessDenied: Access Denied
    status code: 403, request id: 123, host id: 1234
for primary source and source version arn:aws:s3:::my-bucket/foo/master/foo123

Here's the statement of the Codebuild service role policy that's relevant to the problem:

        {
            "Sid": "CodePipelineArtifactBucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListObjects",
                "s3:ListBucket",
                "s3:GetObjectVersion",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*"
        }

Attempts:

1.

Changing the resource attribute in the policy above from arn:aws:s3:::my-bucket/* to arn:aws:s3:::my-bucket*. (Same Access Denied error)

2.

Checking the associated artifact bucket's permissions. Currently, it's set to block all public access and there is no bucket policy attached. The bucket's ACL is set to allow the bucket owner (me) to have read/write access. (Same Access Denied error)

3.

Given this is a test pipeline, I've tried giving the Codebuild service role and the Codepipeline service role full S3 access to all resources. (Same Access Denied error)

Solution

  • Adding the Codebuild role ARN to the CMK policies usage/grant related permissions did the trick. I guess I mindlessly assumed that the Codebuild service role would inherit the Codepipeline's role which would enable the Codebuild project to decrypt the CMK associated with the Codepipeline artifact bucket. Here's the relevant statements I changed in the CMK's policy:

            {
            "Sid": "GrantPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:role/codebuild-role",
                    "arn:aws:iam::111111111111:role/codepipeline-role"
                ]
            },
            "Action": [
                "kms:RevokeGrant",
                "kms:ListGrants",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "UsagePermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:role/codebuild-role",
                    "arn:aws:iam::111111111111:role/codepipeline-role"
                ]
            },
            "Action": [
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }