S3 access denied error

Question

Hi AWS, I am running a CI/CD pipeline using GitHub Actions to deploy Windows Service in .NET 4.7 Framework. The workflow file is having two jobs i.e. `build` job which is doing the build and uploading the executable file to S3 bucket. Now the other job `deploy` is doing the service installation.  The `build` job is running on GitHub Hosted Runner and the `deploy` job is running on EC2 windows instance self-hosted runner.  Here is the code:

```
name: Deploying a CI/CD for Windows Service using GitHub Actions and upload the executable file in Amazon S3

on:
  workflow_dispatch:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]

env:
  S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
  EXECUTABLE_PATH_RUNNER: ${{ secrets.EXECUTABLE_PATH_RUNNER }}
  SERVICE_NAME: ${{ secrets.SERVICE_NAME }}

jobs:

build:
      runs-on: windows-latest
      defaults:
        run:
          shell: cmd
      steps:
        - name: Checkout code repository
          uses: actions/checkout@v3

- name: Setup MSBuild
          uses: microsoft/setup-msbuild@v1

- name: Setup NuGet
          uses: NuGet/setup-nuget@v1.0.5

- name: Restore Packages
          run: nuget restore WindowsServiceDemo.sln

- name: Build solution
          run: msbuild WindowsServiceDemo.sln /p:Configuration=Release /p:DeployOnBuild=true
      
        - name: Set AWS credentials
          uses: aws-actions/configure-aws-credentials@v1
          with:
            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            aws-region: ${{ secrets.AWS_REGION }}

- name: Upload the windows service executable (.exe) file to S3 bucket
          shell: powershell
          env:
            EXECUTABLE_PATH: ${{ secrets.EXECUTABLE_PATH }}
          run: |
            aws s3 cp ${{ env.EXECUTABLE_PATH }} s3://${{ env.S3_BUCKET_NAME }}/windows-service-app/
     
    deploy:
      needs: build
      runs-on: [ self-hosted, Windows, X64 ]
      defaults:
        run:
         shell: cmd
      steps:
       - name: Set AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
    
       - name: Download the Windows Service Executable (.exe) file from S3 bucket to EC2 instance location
         shell: powershell
         env:
           EC2_LOCATION: ${{ secrets.EC2_LOCATION }}
         run: C:\"Program Files"\Amazon\AWSCLIV2\aws s3 cp s3://${{ env.S3_BUCKET_NAME }}/windows-service-app/WindowsServiceDemo.exe ${{ env.EC2_LOCATION }}

- name: To check Windows Service existence along with process id
         shell: powershell
         run: |
           $service = Get-Service -Name ${{ env.SERVICE_NAME }} -ErrorAction SilentlyContinue
           if ($service -eq $null) {
             echo "Install the service"
             cd C:\Windows\System32
             C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe ${{ env.EXECUTABLE_PATH_RUNNER }}
             Start-Service -Name ${{ env.SERVICE_NAME }} 
             echo "Service started"
           } else {
             echo "Service exist"
             $process = Get-Process -Name ${{ env.SERVICE_NAME }} -ErrorAction SilentlyContinue
             if ($process -ne $null) {
               echo "Process Name: $($process.ProcessName)"
               echo "Process ID: $($process.Id)"
               Stop-Service -Name ${{ env.SERVICE_NAME }}
               Stop-Process -Id $process.Id -Force
               cd C:\Windows\System32
               C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe -u ${{ env.EXECUTABLE_PATH_RUNNER }}         
             }
           }
```

The `deploy` job is running fine for the very first run as the service is not there on fresh self hosted runner configured on EC2 windows instance, but when the build is triggered for second time onwards it is giving this access denied error:

**download failed: s3://***/windows-service-app/WindowsServiceDemo.exe to ..\..\WindowsServiceDemo.exe [WinError 5] Access is denied: '***'
Completed 7.5 KiB/7.5 KiB (25.3 KiB/s) with 1 file(s) remaining
Error: Process completed with exit code 1.**

This is weird as I have configured the IAM user and provide the right level of access to the S3 bucket used in the workflow.

Can you please let me know why this issue is occuring.

Answer

Hi Arjun,

First, I recommend you switch from Access Keys and Secret Keys to OpenID Connect so you can securely connect from GitHub to AWS. Also, remember to update the version of your actions (the latest one today is v4). During this process, you will also create an IAM role and ensure that the policy attached to the role has the proper permissions to access the s3 bucket.

Links to resources:
* [Configuring OpenID Connect in Amazon Web Services
](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
* [Configure AWS Credentials for GitHub Actions](https://github.com/aws-actions/configure-aws-credentials)

When you try that, if that still doesn't work, please post here the IAM Policy that you're using attached to the role. Let me know how it goes!

**If the answer is helpful, please click "Accept Answer" and upvote it.**

S3 access denied error

Relevant content