AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

CDK Stck Failed to publish one or more assets Access Denied

0

Hi All,

In My BuildProject/BuildSpec (in my STG Account), I run this command :

  • cdk deploy --require-approval never

it gives me this error :

myStack: deploying...
[0%] start: Publishing e988sdsf934da0d45effe675sdscb946f3e1sds68:current
[0%] check: Check s3://cdk-hnb65dds-assets-xxxxxxxx-cregion/assets/e9882ab1236873df4sdfeffe67sdfc8ce13bsdff3e1d6sdf8d68.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnsd59fds-assets-xxxxxxxx-region","Prefix":"assets/e98ssdfsd87dsffsdffdsfcc8sdsdfdd6141fsdd68.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[33%] fail: Access Denied
[33%] start: Publishing c24b999656e4fe6c609c31dfadffbcdfdfc2c86df:current
[33%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[66%] fail: Access Denied
[66%] start: Publishing werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer:current
[66%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[100%] fail: Access Denied

 ❌  myStack failed: Error: Failed to publish one or more assets. See the error messages above for more information.
    at publishAssets (/usr/local/lib/node_modules/aws-cdk/lib/util/asset-publishing.ts:27:11)

How can I give CDK stack running from BuildSpec permission to publish assets?

I already added this policy to my codeBuild service role, but still same issue :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:getBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::cdk*"
            ]
        }
    ]
}

also had this error :

ser: arn:aws:sts::xxxxxx:assumed-role/codebuild-mybp-service-role/AWSCodeBuild-d1acsd11-4sad7-9sada6834ffsadbs is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:region:xxxxxxxx:function:myStack-CustomCDKBucketDeployment-l5dzxcszxA7assa because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: eedf2-03dfdf3-4ddsfd7-bfdg7-2dfsdff5c2dfgd0; Proxy: null)

not sure which lamda he wants to invoke here and why? what are the right permissions for this

Thank you!!

トピック
開発者用ツールDevOps
タグ
AWS CodeBuildAWS CodePipelineAWS CodeCommitDevOps
言語
English
Jess
質問済み 2年前5306ビュー
2回答
1

Without further context around the run which failed on Lambda, it is difficult to speculate, however based on the naming, it looks like it may be part of the stack which you are trying to deploy, as it seems to match the style of CDK-generated names.

As for the permissions, CDK normally creates a deployment role in your account as part of the bootstrapping process. I have included a link to the details of this role in the bootstrapping template (1). One potential option here is to specify this role in your CDK CLI call by passing the -r or --role-arn parameter with that role (2). If you are experiencing this issue in an account or region that has not been bootstrapped, then you may just need to bootstrap the account in order to have this deployment role (3)

I hope this helps! If you need more assistance with this, I would encourage you to open a support case with CDK so that we can have a more hands-on look at the current configuration, and can provide more concise advice, securely and one-on-one.

(1) https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L362-L465

(2) https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-ref : AWS CDK Toolkit (<code class="code">cdk</code> command) - Toolkit reference

(3) https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html : Bootstrapping

AWS
サポートエンジニア
Wayne_G
回答済み 2年前
0
承認された回答

I added to my Build project service role the following missing permissions and it works :

1 - S3:listObjects

2- AWSLambdaRole to have the permission to lambda:InvokeFunction

Jess
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ