- Newest
- Most votes
- Most comments
Hi, the error is 403 (not allowed). It means that you EC2 builder instance execution role is missing permissions to execute properly. You should check the corresponding role policy to add the required authorizations.
As said in https://docs.aws.amazon.com/imagebuilder/latest/userguide/troubleshooting.html#ts-access-denied, it often comes from missing S3 permissions to write objects on the bucket where produced artifacts need to be written
The pipeline build fails with "AccessDenied: Access Denied status code: 403".
Cause
Possible causes include:
The instance profile does not have the required permissions to access APIs or component resources.
The instance profile role is missing permissions that are required for logging to Amazon S3. Most commonly, this occurs when the instance profile role does not have PutObject permissions for your S3 buckets.
Best, Didier
Hello,
Thank you for your query!
The error message you have received usually indicates that the instance profile mentioned in Infrastructure configuration of the pipeline does not have the necessary permissions to download the components from the S3 bucket. S3 buckets are involved to download the AWS managed components using the 'GetComponent' API call.
Hence, EC2 instance responsible for building the image should have access to the S3 bucket and to 'GetComponent' API which is needed to download the build component.
Therefore, you can check the corresponding role policies to ensure that the required permissions are granted.
However, if you still continue to face this issue, we would be required to perform resource level troubleshooting to investigate further on your issue.
Hence please create a support case with AWS Premium Support and we will be glad to assist you.
Let me know if you have any further queries. Thank you for your interest in re:Post community.
Have a great day!
Given that this specific component in question is an AWS managed component, how does one know which bucket?
Relevant content
- asked 2 years ago
Thanks for taking the time to give an answer.
I'm quite confused how S3 is involved given the error originates from the pipeline attempting to download a build component (AWS code, not mine), and given the pipeline step involved (ApplyBuildComponents), what would seem to me to be inside a container during the docker build itself; "Failed to download the EC2 Image Builder Component 'arn:aws:imagebuilder:us-east-1:627945338248:component/update-windows/1.0.1/1'.
Which S3 bucket would be involved here and under which role exactly; AWSServiceRoleForImageBuilder or the IAM role for the infrastructure configuration?
While S3 logs are involved in the pipeline I already get information written to these logs so where else is S3 involved that needs PutObject?
Couldn't a general HTTP 403 (Forbidden) legitimately be due to what the actual error text says "API error UnrecognizedClientException: The security token included in the request is invalid." and not at all related S3?