How do I resolve Access Denied errors or permission issues in CodePipeline?

Resolution

You might receive an "Access Denied" or permission error because of insufficient permissions to the Amazon Simple Storage Service (Amazon S3) bucket. You might also receive an error if you didn't attach the correct permissions to your AWS Identity and Access Management (IAM) user and role.

User permissions

Verify that the AWS managed policy permissions to create and manage CodePipeline resources are attached to the IAM user.

CodePipeline service role

Make sure that the service role associated with the CodePipeline has permissions to interact with AWS services.

Edit the service role statement to remove or add access to resources that you don't use. To edit the service role statement to restrict permissions to a particular resource, include the Amazon Resource Name (ARN) in the Resource value. Attach the following example CodePipeline service role policy to your resource to grant the minimum permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3BucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketVersioning",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::[[pipeArtifactBucketNames]]"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "{{accountId}}"
        }
      }
    },
    {
      "Sid": "AllowS3ObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObjectTagging",
        "s3:GetObjectTagging",
        "s3:GetObjectVersionTagging"
      ],
      "Resource": [
        "arn:aws:s3:::[[pipeArtifactBucketNames]]/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": "{{accountId}}"
        }
      }
    }
  ]
}

Note: Replace pipeArtifactBucketNames with your S3 bucket name and accountId with your AWS account ID.

CodePipeline artifact bucket

Confirm that you correctly assign the bucket policy and permissions for the S3 bucket that stores the pipeline artifacts.

For cross-account access, see the Update the bucket policy for the CodePipeline artifact bucket in Account B section in How do I configure a CodePipeline source stage with a cross-account CodeCommit repository?

AWS KMS permissions

Confirm that the AWS Key Management Service (AWS KMS) keys used for encryption have the key policies that grant permission for cross-account resources.  Attach the following example policy to your IAM role to add permissions to allow the use of the KMS key for a cross-account role

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::account_B:role/cross_account_role_name", // allows access to cross account role
      "AWS": "arn:aws:iam::account_B:root" // allows access to any role for account_B
    },
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ],
    "Resource": "*"
}

Note: Replace account_B:role/cross_account_role_name with your ARN. 

CodeConnections permissions

For pipelines that use AWS CodeConnections, make sure that the connection has the permissions to access the source repository. If the list only includes some repositories, then there might be a restriction at the connector application installed in your third-party Source Control Management (SCM) system.

To resolve this issue, update the application in your SCM with access to the repositories. To verify repository access in your SCM, review the repository access settings. You can use CodeConnections to add third-party source providers to pipelines.