Hi AWS, I am running a CI/CD pipeline using GitHub Actions to deploy Windows Service in .NET 4.7 Framework. The workflow file is having two jobs i.e. build
job which is doing the build and uploading the executable file to S3 bucket. Now the other job deploy
is doing the service installation. The build
job is running on GitHub Hosted Runner and the deploy
job is running on EC2 windows instance self-hosted runner. Here is the code:
name: Deploying a CI/CD for Windows Service using GitHub Actions and upload the executable file in Amazon S3
on:
workflow_dispatch:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
env:
S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
EXECUTABLE_PATH_RUNNER: ${{ secrets.EXECUTABLE_PATH_RUNNER }}
SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
jobs:
build:
runs-on: windows-latest
defaults:
run:
shell: cmd
steps:
- name: Checkout code repository
uses: actions/checkout@v3
- name: Setup MSBuild
uses: microsoft/setup-msbuild@v1
- name: Setup NuGet
uses: NuGet/setup-nuget@v1.0.5
- name: Restore Packages
run: nuget restore WindowsServiceDemo.sln
- name: Build solution
run: msbuild WindowsServiceDemo.sln /p:Configuration=Release /p:DeployOnBuild=true
- name: Set AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Upload the windows service executable (.exe) file to S3 bucket
shell: powershell
env:
EXECUTABLE_PATH: ${{ secrets.EXECUTABLE_PATH }}
run: |
aws s3 cp ${{ env.EXECUTABLE_PATH }} s3://${{ env.S3_BUCKET_NAME }}/windows-service-app/
deploy:
needs: build
runs-on: [ self-hosted, Windows, X64 ]
defaults:
run:
shell: cmd
steps:
- name: Set AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Download the Windows Service Executable (.exe) file from S3 bucket to EC2 instance location
shell: powershell
env:
EC2_LOCATION: ${{ secrets.EC2_LOCATION }}
run: C:\"Program Files"\Amazon\AWSCLIV2\aws s3 cp s3://${{ env.S3_BUCKET_NAME }}/windows-service-app/WindowsServiceDemo.exe ${{ env.EC2_LOCATION }}
- name: To check Windows Service existence along with process id
shell: powershell
run: |
$service = Get-Service -Name ${{ env.SERVICE_NAME }} -ErrorAction SilentlyContinue
if ($service -eq $null) {
echo "Install the service"
cd C:\Windows\System32
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe ${{ env.EXECUTABLE_PATH_RUNNER }}
Start-Service -Name ${{ env.SERVICE_NAME }}
echo "Service started"
} else {
echo "Service exist"
$process = Get-Process -Name ${{ env.SERVICE_NAME }} -ErrorAction SilentlyContinue
if ($process -ne $null) {
echo "Process Name: $($process.ProcessName)"
echo "Process ID: $($process.Id)"
Stop-Service -Name ${{ env.SERVICE_NAME }}
Stop-Process -Id $process.Id -Force
cd C:\Windows\System32
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe -u ${{ env.EXECUTABLE_PATH_RUNNER }}
}
}
The deploy
job is running fine for the very first run as the service is not there on fresh self hosted runner configured on EC2 windows instance, but when the build is triggered for second time onwards it is giving this access denied error:
download failed: s3:///windows-service-app/WindowsServiceDemo.exe to ....\WindowsServiceDemo.exe [WinError 5] Access is denied: ''
Completed 7.5 KiB/7.5 KiB (25.3 KiB/s) with 1 file(s) remaining
Error: Process completed with exit code 1.
This is weird as I have configured the IAM user and provide the right level of access to the S3 bucket used in the workflow.
Can you please let me know why this issue is occuring.
Hi Ivan, here is the policy attached to the IAM user:
I am using IAM user not role so I don't think I need to use OpenID Connect as of now. Having said that isn't it weird that the workflow is working fine for the first time but throwing access denied error from second build onwards.