23

I created a CodeBuild Project that uses a docker image for node8. The purpose of this CodeBuild project is to do unit testing. It takes an input artifact from CodeCommit. And in the buildspec.yml it runs a test command.

This is my (simple) buildspec file:

version: 0.2

phases:
  install:
    commands:
     - echo "install phase started"
     - npm install
     - echo "install phase ended"
  pre_build: 
    commands:
     - echo "pre_build aka test phase started"
     - echo "mocha unit test"
     - npm test
     - echo "mocha unit test ended"
  build:
    commands:
     - echo "build phase started"
     - echo "build complete"

The build is failing at the DOWNLOAD_SOURCE phase with the following:

PHASE - DOWNLOAD_SOURCE

Start time 2 minutes ago

End time 2 minutes ago

Message Access Denied

The only logs in the build logs are the following

[Container] 2018/01/12 11:30:22 Waiting for agent ping

[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE

Thanks in advance.

Screenshot of the CodeBuild policies.

enter image description here

Improve this question
3
  • 3
    Can you post the policy for the IAM role you're using for the CodeBuild project? Commented Jan 12, 2018 at 22:43
  • Done. I edited the post an added the policies. Commented Jan 15, 2018 at 12:35
  • Are all of these policies attached to the role used in your CodeBuild project? "Access Denied" during Download Source makes me think the policy doesn't have a permission like codecommit:GitPull or s3:GetObject. Commented Jan 15, 2018 at 18:25

6 Answers 6

Reset to default
15

I found a fix. It was a problem with my permissions. I added this to make it work.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-eu-west-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters"
        ],
        "Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
    }
  ]
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Can you explain where you added it?
7

I had the same error, a permissions issue accessing S3 bucket url. Originally I used an auto-generated codepipeline-us-west-2-* bucket name with the policy:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::codepipeline-us-west-2-*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

After changing to my own bucket name, the policy had to be updated to:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::project-name-files/*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}
Improve this answer

1 Comment

This was the fix for me! Thanks!
5

I had similar error and will post my fix in case it helps anyone else. I was using CodePipeline and had two separate builds happening. Build #1 would complete its build and the output artifact for that was to be the input artifact for Build #2. Build #2 was failing on the the DOWNLOAD_SOURCE phase with the following error:

AccessDenied: Access Denied status code: 403

The problem was that in my build spec for Build #1, I didn't have the artifacts defined. After calling out the artifact files/folders in Build #1, then Build #2 was able to download the source without issue.

Improve this answer

1 Comment

The same could be happening with one single build, if outputs and inputs are not correctly defined between steps (was my case)
2

I was experiencing the same symptoms but my issue was due to the default encryption on the S3 bucket as described in this post.

So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.

In my case, the keys that were being used were mismatched which was causing the decryption failure.

Improve this answer

Comments

1

I faced the same issue.

My source was from an S3 folder. The fix involved putting a / at the end of the source path. It seems that without the / CodeBuild thinks it is a key.

Hope this helps someone save time.

Improve this answer

2 Comments

Where was the / missing from?
/ at the end of the source path. (Corrected)
1

In my case I fixed the issue that way - when I was creating a build project configuration there is a step in which you have to provide Service role and Role name. There are two options for that step 1) create new one and 2) choose existing one. I created a new one. After that I faced the issue author described. After some research I added this policies to that role in IAM module and the issue went away.

AWSCodeDeployRoleForECS AWS managed Permissions policy
AWSCodeDeployRole   AWS managed Permissions policy
AWSCodeDeployRoleForCloudFormation  AWS managed Permissions policy
AWSCloudFormationFullAccess AWS managed Permissions policy
AWSCodeDeployRoleForLambda  AWS managed Permissions policy
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.