Search code examples
amazon-web-servicesserverless-frameworkaws-cdkaws-codepipelineaws-codebuild

An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied

As running the pipeline from CDK-based CI-CD pipeline, a profile is not being passed in the argument assuming the pipeline has the required permissions through the role.

I am using the pipeline from https://github.com/awslabs/aws-simple-cicd/

My deployment-role.yml file has a policy that looks as follows:

DeploymentPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: deployment-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'cloudformation:*'
              - 'iam:*'
              - 'lambda:*'
              - 'ecs:*'
              - 'ecr:*'
              - 'logs:*'
              - 'ssm:*'
              - 'acm:*'
              - 'apigateway:*'
              - 'application-autoscaling:*'
              - 'autoscaling:*'
              - 'cloudfront:*'
              - 'cloudwatch:*'
              - 'elasticache:*'
              - 'elasticloadbalancing:*'
              - 'events:*'
              - 'route53:*'
              - 'sns:*'
              - 'sqs:*'
              - 's3:*'
              - 'dynamodb:*'
              - 'xray:*'
              - 'cognito-idp:*'
            Resource: '*'
      Roles:
        - !Ref DeploymentRole
        -

Given the policy has full access to s3, I expected the deployment to go through but it fails with the following error message:

lerna notice cli v4.0.0

326 | lerna info ci enabled
327 | lerna info Executing command in 4 packages: "npm run deploy"
328 | vlncc-sns: > [email protected] deploy
329 | vlncc-sns: > sls deploy -v
330 | tenant-mgmt-service: > [email protected] deploy
331 | tenant-mgmt-service: > sls deploy -v
332 | vlncc-sns: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
333 | vlncc-sns:               - Cannot resolve variable at "provider.profile": Value not found at "opt" source
334 | vlncc-sns:             From a next major it we will be communicated with a thrown error.
335 | vlncc-sns:             Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
336 | vlncc-sns:             More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
337 | tenant-mgmt-service: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
338 | tenant-mgmt-service:               - Cannot resolve variable at "provider.profile": Value not found at "opt" source,
339 | tenant-mgmt-service:               - Cannot resolve variable at "provider.iamRoleStatements.0": Cannot load file from outside of service folder
340 | tenant-mgmt-service:             From a next major it we will be communicated with a thrown error.
341 | tenant-mgmt-service:             Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
342 | tenant-mgmt-service:             More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
343 | vlncc-sns:
344 | vlncc-sns:  Serverless Warning --------------------------------------
345 | vlncc-sns:
346 | vlncc-sns:   A valid option to satisfy the declaration 'opt:profile' could not be found.
347 | vlncc-sns:
348 | vlncc-sns: Serverless: Packaging service...
349 | vlncc-sns: Serverless: Creating Stack...
350 | tenant-mgmt-service:
351 | tenant-mgmt-service:  Serverless Warning --------------------------------------
352 | tenant-mgmt-service:
353 | tenant-mgmt-service:   A valid option to satisfy the declaration 'opt:profile' could not be found.
354 | tenant-mgmt-service:
355 | vlncc-sns: Serverless: Checking Stack create progress...
356 | tenant-mgmt-service: Serverless: Configuration warning at 'functions.getPool.events[0].http': unrecognized property 'documentation'
357 | tenant-mgmt-service: Serverless:
358 | tenant-mgmt-service: Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation
359 | tenant-mgmt-service: Serverless:
360 | tenant-mgmt-service: Serverless: Deprecation warning: Starting with version 3.0.0, following property will be replaced:
361 | tenant-mgmt-service:               "provider.iamRoleStatements" -> "provider.iam.role.statements"
362 | tenant-mgmt-service:             More Info: https://www.serverless.com/framework/docs/deprecations/#PROVIDER_IAM_SETTINGS
363 | tenant-mgmt-service: Serverless: Deprecation warning: Resolution of lambda version hashes was improved with better algorithm, which will be used in next major release.
364 | tenant-mgmt-service:             Switch to it now by setting "provider.lambdaHashingVersion" to "20201221"
365 | tenant-mgmt-service:             More Info: https://www.serverless.com/framework/docs/deprecations/#LAMBDA_HASHING_VERSION_V2
366 | tenant-mgmt-service: Serverless: Using configuration:
367 | tenant-mgmt-service: {
368 | tenant-mgmt-service:   "packager": "npm",
369 | tenant-mgmt-service:   "packagerOptions": {},
370 | tenant-mgmt-service:   "webpackConfig": "../../node_modules/serverless-bundle/src/webpack.config.js",
371 | tenant-mgmt-service:   "includeModules": {
372 | tenant-mgmt-service:     "forceExclude": [
373 | tenant-mgmt-service:       "aws-sdk"
374 | tenant-mgmt-service:     ],
375 | tenant-mgmt-service:     "forceInclude": null,
376 | tenant-mgmt-service:     "packagePath": "package.json"
377 | tenant-mgmt-service:   },
378 | tenant-mgmt-service:   "keepOutputDirectory": false
379 | tenant-mgmt-service: }
380 | tenant-mgmt-service: Serverless: Removing /codebuild/output/src181728188/src/services/tenant-mgmt-service/.webpack
381 | tenant-mgmt-service: Serverless: Bundling with Webpack...
382 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
383 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
384 | vlncc-sns: CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
385 | vlncc-sns: CloudFormation - DELETE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
386 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
387 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::CloudFormation::Stack - vlncc-sns-sandbox
388 | vlncc-sns: Serverless: Operation failed!
389 | vlncc-sns: Serverless: View the full error output: https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-west-2%3A074808352032%3Astack%2Fvlncc-sns-sandbox%2F99468730-85f5-11eb-9aea-069c3947cedb
390 | vlncc-sns:
391 | vlncc-sns:  Serverless Error ----------------------------------------
392 | vlncc-sns:
393 | vlncc-sns:   An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
394 | vlncc-sns:
395 | vlncc-sns:   Get Support --------------------------------------------
396 | vlncc-sns:      Docs:          docs.serverless.com
397 | vlncc-sns:      Bugs:          github.com/serverless/serverless/issues
398 | vlncc-sns:      Issues:        forum.serverless.com
399 | vlncc-sns:
400 | vlncc-sns:   Your Environment Information ---------------------------
401 | vlncc-sns:      Operating System:          linux
402 | vlncc-sns:      Node Version:              12.19.1
403 | vlncc-sns:      Framework Version:         2.29.0
404 | vlncc-sns:      Plugin Version:            4.5.0
405 | vlncc-sns:      SDK Version:               n/a
406 | vlncc-sns:      Components Version:        3.7.3
407 | vlncc-sns:
408 | vlncc-sns: npm ERR! code 1
409 | vlncc-sns: npm ERR! path /codebuild/output/src181728188/src/resources/sns
410 | vlncc-sns: npm ERR! command failed
411 | vlncc-sns: npm ERR! command sh -c sls deploy -v
412 | vlncc-sns: npm ERR! A complete log of this run can be found in:
413 | vlncc-sns: npm ERR!     /root/.npm/_logs/2021-03-16T01_19_15_364Z-debug.log
414 | lerna ERR! npm run deploy exited 1 in 'vlncc-sns'
415 | lerna WARN complete Waiting for 2 child processes to exit. CTRL-C to exit immediately.
416 | npm ERR! code 1
417 | npm ERR! path /codebuild/output/src181728188/src
418 | npm ERR! command failed
419 | npm ERR! command sh -c  lerna run deploy --stream
420 |  
421 | npm ERR! A complete log of this run can be found in:
422 | npm ERR!     /root/.npm/_logs/2021-03-16T01_19_15_414Z-debug.log
423 |  
424 | [Container] 2021/03/16 01:19:15 Command did not exit successfully bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh exit status 1
425 | [Container] 2021/03/16 01:19:15 Phase complete: BUILD State: FAILED
426 | [Container] 2021/03/16 01:19:15 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh. Reason: exit status 1
427 | [Container] 2021/03/16 01:19:15 Entering phase POST_BUILD
428 | [Container] 2021/03/16 01:19:15 Phase complete: POST_BUILD State: SUCCEEDED
429 | [Container] 2021/03/16 01:19:15 Phase context status code:  Message:

Why is that? How do I fix it?

Solution

  • The S3 permissions should be added to your CodeBuild (CB) project role, not CodePipeline (CP) role. The reason is that the CB container is the entity that actually tries to access the S3, not CP.