AWS Codebuild fails while downloading source. Message: Access Denied

Asked 12/1, 2018 at 11:52 Answered 30/10, 2022 at 5:25

Solved node.js amazon-web-services amazon-elastic-beanstalk aws-codepipeline aws-codebuild

I created a CodeBuild Project that uses a docker image for node8. The purpose of this CodeBuild project is to do unit testing. It takes an input artifact from CodeCommit. And in the buildspec.yml it runs a test command.

This is my (simple) buildspec file:

version: 0.2

phases:
  install:
    commands:
     - echo "install phase started"
     - npm install
     - echo "install phase ended"
  pre_build: 
    commands:
     - echo "pre_build aka test phase started"
     - echo "mocha unit test"
     - npm test
     - echo "mocha unit test ended"
  build:
    commands:
     - echo "build phase started"
     - echo "build complete"

The build is failing at the DOWNLOAD_SOURCE phase with the following:

PHASE - DOWNLOAD_SOURCE

Start time 2 minutes ago

End time 2 minutes ago

Message Access Denied

The only logs in the build logs are the following

[Container] 2018/01/12 11:30:22 Waiting for agent ping

[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE

Thanks in advance.

Screenshot of the CodeBuild policies.

Millymilman answered 12/1, 2018 at 11:52 Comment(3)

Can you post the policy for the IAM role you're using for the CodeBuild project? – Guerra 12/1, 2018 at 22:43

Done. I edited the post an added the policies. – Cancellation 15/1, 2018 at 12:35

Are all of these policies attached to the role used in your CodeBuild project? "Access Denied" during Download Source makes me think the policy doesn't have a permission like codecommit:GitPull or s3:GetObject. – Guerra 15/1, 2018 at 18:25

I found a fix. It was a problem with my permissions. I added this to make it work.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-eu-west-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters"
        ],
        "Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
    }
  ]
}

Millymilman answered 16/1, 2018 at 19:20 Comment(1)

Can you explain where you added it? – Vibrations 2/8, 2022 at 7:52

I had the same error, a permissions issue accessing S3 bucket url. Originally I used an auto-generated codepipeline-us-west-2-* bucket name with the policy:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::codepipeline-us-west-2-*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

After changing to my own bucket name, the policy had to be updated to:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::project-name-files/*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

Alinaaline answered 11/6, 2020 at 1:40 Comment(1)

This was the fix for me! Thanks! – Maine 3/7, 2021 at 4:41

I had similar error and will post my fix in case it helps anyone else. I was using CodePipeline and had two separate builds happening. Build #1 would complete its build and the output artifact for that was to be the input artifact for Build #2. Build #2 was failing on the the DOWNLOAD_SOURCE phase with the following error:

AccessDenied: Access Denied status code: 403

The problem was that in my build spec for Build #1, I didn't have the artifacts defined. After calling out the artifact files/folders in Build #1, then Build #2 was able to download the source without issue.

Masson answered 28/7, 2018 at 0:12 Comment(1)

The same could be happening with one single build, if outputs and inputs are not correctly defined between steps (was my case) – Silici 9/8, 2021 at 10:27

I was experiencing the same symptoms but my issue was due to the default encryption on the S3 bucket as described in this post.

So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.

In my case, the keys that were being used were mismatched which was causing the decryption failure.

Locris answered 14/10, 2020 at 5:7 Comment(0)

I faced the same issue.

My source was from an S3 folder. The fix involved putting a / at the end of the source path. It seems that without the / CodeBuild thinks it is a key.

Hope this helps someone save time.

Kokoruda answered 19/7, 2020 at 6:31 Comment(2)

Where was the / missing from? – Latoyia 21/11, 2020 at 13:22

/ at the end of the source path. (Corrected) – Kokoruda 24/11, 2020 at 5:47

In my case I fixed the issue that way - when I was creating a build project configuration there is a step in which you have to provide Service role and Role name. There are two options for that step 1) create new one and 2) choose existing one. I created a new one. After that I faced the issue author described. After some research I added this policies to that role in IAM module and the issue went away.

AWSCodeDeployRoleForECS AWS managed Permissions policy
AWSCodeDeployRole   AWS managed Permissions policy
AWSCodeDeployRoleForCloudFormation  AWS managed Permissions policy
AWSCloudFormationFullAccess AWS managed Permissions policy
AWSCodeDeployRoleForLambda  AWS managed Permissions policy

Marinemarinelli answered 30/10, 2022 at 5:25 Comment(0)

Recommended topics

Hot tags