How do I resolve the 403 Access Denied error for my image build pipeline in EC2 Image Builder?

Short description

Your image build pipeline might fail with a 403 Access Denied error for the following reasons:

• The instance profile doesn't have the required AWS Identity and Access Management (IAM) permissions to access APIs or component resources.
• The instance profile role doesn't have the required PutObject permission to log in to Amazon Simple Storage Service (Amazon S3).
• The Amazon S3 gateway endpoint custom policy doesn't allow the GetObject action when you build in a private subnet.

Resolution

Add the required permissions to your instance profile

You must add the following IAM policies to the IAM role that's associated with your instance profile:

• EC2InstanceProfileForImageBuilder
• EC2InstanceProfileForImageBuilderECRContainerBuilds

If you use a custom policy, then add the required permissions to your custom policy. To attach a policy, see the Attach policy section of AWS Identity and Access Management (IAM).

Add the required PutObject permissions for Amazon S3

The instance profile that's specified in your configuration must have the s3:PutObject permission for the target Amazon S3 bucket. Add the following permissions policy to the target Amazon S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::example-bucket-name/*"
        }
    ]
}

Note: In the preceding command, replace example-bucket-name with your Amazon S3 bucket name.

Add the required GetObject permissions to your Amazon S3 gateway endpoint custom policy

If your Amazon S3 gateway endpoint policy doesn't allow Image Builder to download code or access logs, then add GetObject to the custom policy:

{ 
 "Effect": "Allow", 
 "Action": [ 
"s3:GetObject" 
], 
"Resource": "arn:aws:s3:::ec2imagebuilder*" 
}