Search code examples
amazon-web-servicesaws-codebuild

Predefined CloudFormation stack running as root causes "CodeBuild is not authorized to perform: sts:AssumeRole on service role"

I'm working on deploying an AWS Telco Network and have followed the documentation in doing so along with their sample code, however on the final instantiation step I keep getting an sts:AssumeRole not authorized error. I tracked down the CloudTrail event and here's what it looks like. Any idea to go about resolving this?

{
"eventVersion": "1.08",
"userIdentity": {
    "type": "Root",
    "principalId": "x",
    "arn": "arn:aws:iam::x:root",
    "accountId": "x",
    "accessKeyId": "y",
    "sessionContext": {
        "sessionIssuer": {},
        "webIdFederationData": {},
        "attributes": {
            "creationDate": "2024-11-20T21:31:31Z",
            "mfaAuthenticated": "false"
        }
    },
    "invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2024-11-20T21:55:35Z",
"eventSource": "codebuild.amazonaws.com",
"eventName": "CreateProject",
"awsRegion": "us-west-2",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "InvalidInputException",
"errorMessage": "CodeBuild is not authorized to perform: sts:AssumeRole on service role",
"requestParameters": {
    "name": "arn:aws:codebuild:us-west-2:x:project/tnbEksNodeGroupENICreation",
    "logsConfig": {
        "cloudWatchLogs": {
            "groupName": "/aws/tnb/hooks",
            "streamName": "tnbEksNodeGroupENICreation",
            "status": "ENABLED"
        }
    },
    "artifacts": {
        "type": "NO_ARTIFACTS"
    },
    "source": {
        "type": "NO_SOURCE",
        "buildspec": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "timeoutInMinutes": 10,
    "tags": "HIDDEN_DUE_TO_SECURITY_REASONS",
    "queuedTimeoutInMinutes": 480,
    "serviceRole": "arn:aws:iam::x:role/TnbEksMultusRole",
    "environment": {
        "environmentVariables": [
            {
                "type": "HIDDEN_DUE_TO_SECURITY_REASONS",
                "value": "HIDDEN_DUE_TO_SECURITY_REASONS",
                "name": "HIDDEN_DUE_TO_SECURITY_REASONS"
            }
        ],
        "privilegedMode": false,
        "imagePullCredentialsType": "CODEBUILD",
        "type": "LINUX_CONTAINER",
        "image": "aws/codebuild/standard:7.0",
        "computeType": "BUILD_GENERAL1_SMALL"
    }
},
"responseElements": null,
"requestID": "",
"eventID": "",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "x",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"

}

Solution

  • You need to add the codeBuild in the trust Relationship for the that role you want to use:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    otherwise the codeBuild project will not be authorised to assume the assigned role to it.