Search code examples
amazon-web-servicesaws-cdkaws-codepipeline

Error calling startBuild: User is not authorized to perform: codebuild:StartBuild

I want to configure CI/CD with AWS Pipelines using AWS CDK.

I initialized my AWS CDK in AWS account using the following command

npx cdk bootstrap --context env=prod --profile il-prod

After, I deployed my PipelineStack using this

npx cdk deploy Pipeline --context env=prod --profile il-prod

After it's been successfully deployed the deployed pipeline fails with the following message during the build step

Error calling startBuild: User: arn:aws:sts::915521058023:assumed-role/Pipeline-
PipelineCodeBuildActionRole226DB0CB-yMIdGC4ozzfo/1706514727988 is not authorized to
perform: codebuild:StartBuild on resource: arn:aws:codebuild:eu-
central-1:915521058023:project/PipelineBuildSynthCdkBuildP-ZTRILHu8CwbK because no 
identity-based policy allows the codebuild:StartBuild action (Service: AWSCodeBuild; Status
 Code: 400; Error Code: AccessDeniedException; Request ID: 9a698065-9530-4262-
b920-863bbf9e281c; Proxy: null)

This is my code

import { SecretValue, Stack, StackProps, pipelines } from "aws-cdk-lib";
import { Construct } from "constructs";
import { AppStage } from "./app.stage";

interface PipelineStackProps extends StackProps {
  github: {
    branch: string
  }
}

export class PipelineStack extends Stack {
  #props: PipelineStackProps

  constructor(scope: Construct, id: string, props: PipelineStackProps) {
    super(scope, id, props);

    this.#props = props

    this.#init();
  }

  #init() {
    const pipeline = new pipelines.CodePipeline(this, "Pipeline", {
      synth: new pipelines.ShellStep('Synth', {
        input: pipelines.CodePipelineSource.gitHub("owner/project", this.#props.github.branch, {
          authentication: SecretValue.secretsManager("token")
        }),
        commands: [
          "npm ci",
          "npm run build",
          "npx cdk synth"
        ]
      })
    })

    const appStage = new AppStage(this, 'App', { env: this.#props.env })

    pipeline.addStage(appStage)
  }
}

I would expect the pipeline to run successfully or at least fail due to some other issue, not because it doesn't have the necessary permissions to start the build.

Did I miss something during the AWS CDK configuration?

Solution

  • I found the easiest solution to overcome this problem.

    When you deploy the Pipeline for the first time, you usually run:

    cdk deploy Pipeline

    This command uses your default profile to deploy resources to AWS. After it successfully deploys, it automatically tries to run the deployed pipeline, but it fails. The reason for this, as I understood, is that the role that deployed this pipeline does not have sufficient permissions to start the build.

    Here are two simple solutions:

    Retry the Pipeline in the Console

    1. Go to the AWS CodePipeline Console.
    2. Click the "Retry Stage"
    3. This will rerun the pipeline, and it should work correctly this time.

    Trigger the Pipeline with a New Commit

    1. After the pipeline fails, create another commit in the branch to which this pipeline is attached.
    2. This will retrigger the pipeline, and it should run correctly.

    These steps ensure that the necessary permissions are in place when the pipeline runs.