AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

CDK Stck Failed to publish one or more assets Access Denied

0

Hi All,

In My BuildProject/BuildSpec (in my STG Account), I run this command :

  • cdk deploy --require-approval never

it gives me this error :

myStack: deploying...
[0%] start: Publishing e988sdsf934da0d45effe675sdscb946f3e1sds68:current
[0%] check: Check s3://cdk-hnb65dds-assets-xxxxxxxx-cregion/assets/e9882ab1236873df4sdfeffe67sdfc8ce13bsdff3e1d6sdf8d68.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnsd59fds-assets-xxxxxxxx-region","Prefix":"assets/e98ssdfsd87dsffsdffdsfcc8sdsdfdd6141fsdd68.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[33%] fail: Access Denied
[33%] start: Publishing c24b999656e4fe6c609c31dfadffbcdfdfc2c86df:current
[33%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[66%] fail: Access Denied
[66%] start: Publishing werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer:current
[66%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[100%] fail: Access Denied

 ❌  myStack failed: Error: Failed to publish one or more assets. See the error messages above for more information.
    at publishAssets (/usr/local/lib/node_modules/aws-cdk/lib/util/asset-publishing.ts:27:11)

How can I give CDK stack running from BuildSpec permission to publish assets?

I already added this policy to my codeBuild service role, but still same issue :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:getBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::cdk*"
            ]
        }
    ]
}

also had this error :

ser: arn:aws:sts::xxxxxx:assumed-role/codebuild-mybp-service-role/AWSCodeBuild-d1acsd11-4sad7-9sada6834ffsadbs is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:region:xxxxxxxx:function:myStack-CustomCDKBucketDeployment-l5dzxcszxA7assa because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: eedf2-03dfdf3-4ddsfd7-bfdg7-2dfsdff5c2dfgd0; Proxy: null)

not sure which lamda he wants to invoke here and why? what are the right permissions for this

Thank you!!

주제
개발자 도구DevOps
태그
AWS CodeBuildAWS CodePipelineAWS CodeCommitDevOps
언어
English
Jess
질문됨 2년 전5306회 조회
2개 답변
1

Without further context around the run which failed on Lambda, it is difficult to speculate, however based on the naming, it looks like it may be part of the stack which you are trying to deploy, as it seems to match the style of CDK-generated names.

As for the permissions, CDK normally creates a deployment role in your account as part of the bootstrapping process. I have included a link to the details of this role in the bootstrapping template (1). One potential option here is to specify this role in your CDK CLI call by passing the -r or --role-arn parameter with that role (2). If you are experiencing this issue in an account or region that has not been bootstrapped, then you may just need to bootstrap the account in order to have this deployment role (3)

I hope this helps! If you need more assistance with this, I would encourage you to open a support case with CDK so that we can have a more hands-on look at the current configuration, and can provide more concise advice, securely and one-on-one.

(1) https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L362-L465

(2) https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-ref : AWS CDK Toolkit (<code class="code">cdk</code> command) - Toolkit reference

(3) https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html : Bootstrapping

AWS
지원 엔지니어
Wayne_G
답변함 2년 전
0
수락된 답변

I added to my Build project service role the following missing permissions and it works :

1 - S3:listObjects

2- AWSLambdaRole to have the permission to lambda:InvokeFunction

Jess
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠