I am defining a Code Pipeline via CDK. The final stage deploys a lambda cloudformation stack however I get an S3 permissions error when the deploy stage runs.
The deploy stage is defined as:
const role = new Role(this, "Role", {
roleName: "CodePipelineBuildAndDeployRoleV2",
description:
"role used by code pipeline to build CDK and lambda application code",
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName("AWSCodePipeline_FullAccess"),
ManagedPolicy.fromAwsManagedPolicyName("AmazonS3FullAccess"),
ManagedPolicy.fromAwsManagedPolicyName(
"AmazonEC2ContainerRegistryFullAccess"
),
],
assumedBy: new ServicePrincipal("codebuild.amazonaws.com"),
});
const pipeline = new Pipeline(this, "PipelineStack", {
pipelineName: "LambdaDeploymentPipeline",
pipelineType: PipelineType.V2,
role: role,
});
//...source and build stage run correctly
pipeline.addStage({
stageName: "Deploy",
actions: [
new CloudFormationCreateUpdateStackAction({
actionName: "lambda-application-deployment",
stackName: props.lambdaApplicationStack.stackName,
templatePath: cdkBuildOutput.atPath("LambdaStack.template.yaml"),
adminPermissions: true,
}),
],
});
the error is:
User: arn:aws:sts::975050149793:assumed-role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z/1726918379606 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
however when I check the permissions policy for the created role arn:aws:sts::975050149793:assumed-role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z/1726918379606
in the IAM console I can see it has list bucket permissions on the given bucket:
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource":[
"arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz",
"arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz/*"
],
"Effect":"Allow"
},
{
"Action":[
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource":"arn:aws:kms:us-east-1:975050149793:key/cc2ef46c-329f-4e44-b209-89c7cce97cf4",
"Effect":"Allow"
},
{
"Action":[
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource":"arn:aws:ecr:us-east-1:975050149793:repository/hello-world-ecr-repository-from-cdk",
"Effect":"Allow"
},
{
"Action":"ecr:GetAuthorizationToken",
"Resource":"*",
"Effect":"Allow"
},
{
"Action":"sts:AssumeRole",
"Resource":[
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildcdkcodesynthesi-CBELbize1taP",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildlambdadockerima-022VbTwX3Bwh",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceCDKGitHubSourc-YLxuCRQKhqOD",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceLambdaGitHubSo-aOOfOJyDHRhJ"
],
"Effect":"Allow"
}
]
}
what updates do I need to make to rectify this error?
Update:
@Clinton suggested granting explicit bucket permission.
I tried adding both of these policies (from the bucket as well as directly to the role):
pipeline.artifactBucket.grantReadWrite(
role
)
role.addToPolicy(new PolicyStatement(
{
actions: ['s3:ListBucket'],
resources: [pipeline.artifactBucket.bucketArn]
}
))
but got the same error message:
User: arn:aws:sts::975050149793:assumed-role/CodePipelineBuildAndDeployRoleV2/1727281876060 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-bfyw12hchv0e" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: WQR9HYW9YNR1ZM3M; S3 Extended Request ID: YWFHapGzf+jMe90dHP7/sVhdYlwrBo26Y0faumzuaqbarFyb+rbzqp6TL0cVKoRXOuWFLKyaXVv90T6q1hNQ6g==; Proxy: null)
2
Answers
ListBucket operates at the bucket level, not the object level; this is actually a common miss.
Modify the policy for the IAM role to add explicit permission for s3:ListBucket on the bucket itself like this:
It needs to target the bucket itself without the wildcard ‘/*’. Let me know if this works.
The first error you listed says the role without permission is
…while the error you listed in your update says the role without permission is
Which role are you assuming? You said you "got the same error" but it is not actually the same error. Check that the role you are using has the ListBucket permission. Also check if there is a resource policy on the bucket that would be limiting things, and if so, change that. If you still get an error, try assigning the AmazonS3FullAccess or AmazonS3ReadOnlyAccess managed policy temporarily to help isolate where the error is coming from, then remove/replace policies until you narrow it down.