skip to Main Content

I have an AWS code pipeline where the last step deploys a CDK template. I have an IAM role (arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2) with the following permissions policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetAuthorizationToken",
                "s3:List*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:List*",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::code-pipeline-artifact-bucket-v2",
                "arn:aws:s3:::code-pipeline-artifact-bucket-v2/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "arn:aws:ecr:us-east-1:975050149793:repository/hello-world-ecr-repository-from-cdk",
            "Effect": "Allow"
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildcdkcodesynthesi-vFR745UypNHH",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildlambdadockerima-bwgUOKwVvSkx",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceCDKGitHubSourc-2ucigcXrrb9y",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceLambdaGitHubSo-wCf42p9m8VdL",
                "arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStack*",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate*",
                "cloudformation:SetStackPolicy",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "arn:aws:cloudformation:us-east-1:975050149793:stack/LambdaStackDeployedName/*",
            "Effect": "Allow"
        }
    ]
}

and the following trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codepipeline.amazonaws.com",
                    "s3.amazonaws.com",
                    "codebuild.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

but the deployment keeps failing with the following error:

User: arn:aws:sts::975050149793:assumed-role/CodePipelineBuildAndDeployRoleV2/1727290405840 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::code-pipeline-artifact-bucket-v2" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: QDFVFYCJQ08K3AGJ; S3 Extended Request ID: sDxvgKj+HGpAMXO2Y7SAkBysTM0490KbWkHFjNX9ozwp6JoMSjEguvwh/3I97i2LA4oYD1W4Nj4=; Proxy: null)

I can see the IAM policy has the necessary permissions however it still keeps failing with the same error.

2

Answers


  1. Ensure that the trust relationship for CodePipelineBuildAndDeployRoleV2 correctly allows the service to assume it. The trust policy should include sts:AssumeRole permissions for the service principal associated with your CodePipeline.

    Bro Also try the S3 bucket policy (code-pipeline-artifact-bucket-v2)

     {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2"
                },
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::code-pipeline-artifact-bucket-v2"
            }
        ]
    }
    

    I know this is not expected, but some time the bucket policy might need an update to allow this role to list the bucket.

    Login or Signup to reply.
  2. s3:ListBucket errors are very often related to missing permissions to access the KMS key used for Bucket or object Encryption.

    Verify CodePipelineBuildAndDeployRoleV2 access to the KMS key used by CodePipeline to encrypt Artifact Objects in the code-pipeline-artifact-bucket-v2 Bucket

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search