Question posted in 
I have an AWS code pipeline where the last step deploys a CDK template. I have an IAM role (arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2) with the following permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"s3:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::code-pipeline-artifact-bucket-v2",
"arn:aws:s3:::code-pipeline-artifact-bucket-v2/*"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:us-east-1:975050149793:repository/hello-world-ecr-repository-from-cdk",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildcdkcodesynthesi-vFR745UypNHH",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildlambdadockerima-bwgUOKwVvSkx",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceCDKGitHubSourc-2ucigcXrrb9y",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceLambdaGitHubSo-wCf42p9m8VdL",
"arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2"
],
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStack*",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate*",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack",
"cloudformation:ValidateTemplate"
],
"Resource": "arn:aws:cloudformation:us-east-1:975050149793:stack/LambdaStackDeployedName/*",
"Effect": "Allow"
}
]
}
and the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com",
"s3.amazonaws.com",
"codebuild.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
but the deployment keeps failing with the following error:
User: arn:aws:sts::975050149793:assumed-role/CodePipelineBuildAndDeployRoleV2/1727290405840 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::code-pipeline-artifact-bucket-v2" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: QDFVFYCJQ08K3AGJ; S3 Extended Request ID: sDxvgKj+HGpAMXO2Y7SAkBysTM0490KbWkHFjNX9ozwp6JoMSjEguvwh/3I97i2LA4oYD1W4Nj4=; Proxy: null)
I can see the IAM policy has the necessary permissions however it still keeps failing with the same error.
2
Answers
Ensure that the trust relationship for
CodePipelineBuildAndDeployRoleV2correctly allows the service to assume it. The trust policy should includests:AssumeRolepermissions for the service principal associated with your CodePipeline.Bro Also try the
S3 bucket policy(code-pipeline-artifact-bucket-v2)I know this is not expected, but some time the bucket policy might need an update to allow this role to list the bucket.
s3:ListBucket errors are very often related to missing permissions to access the KMS key used for Bucket or object Encryption.
Verify CodePipelineBuildAndDeployRoleV2 access to the KMS key used by CodePipeline to encrypt Artifact Objects in the code-pipeline-artifact-bucket-v2 Bucket