- Newest
- Most votes
- Most comments
The issue you're experiencing is likely related to the session policy that's applied when CodePipeline assumes the CodeDeployRole during the Deploy stage. Even though you've verified that both CodePipelineRole and CodeDeployRole have the necessary permissions, the session policy that's created when assuming the role might be restricting access.
To resolve this issue, try the following steps:
- Ensure that the CodePipelineRole has explicit permission to assume the CodeDeployRole. Add the following statement to the CodePipelineRole's policy:
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<ARN of CodeDeployRole>" }
-
In your CodeDeployRole, make sure the trust relationship (AssumeRolePolicyDocument) explicitly allows CodePipeline to assume this role. You have this in your template, but double-check that it's correct.
-
In the CodeDeployRole policy, ensure that the S3 permissions are explicitly granted for the artifact bucket. Your current policy uses a wildcard (*) for the Resource, which might be too broad. Instead, specify the exact ARN of your artifact bucket:
{ "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Resource": [ "arn:aws:s3:::${PipelineArtifactBucket}", "arn:aws:s3:::${PipelineArtifactBucket}/*" ] }
-
If you're using KMS encryption on your S3 bucket, make sure both roles have the necessary KMS permissions to decrypt objects in the bucket.
-
In your pipeline configuration, make sure you're using the correct role ARN for the CloudFormation deploy action. Verify that the RoleArn in the Deploy action configuration is correctly referencing the CodeDeployRole:
RoleArn: !GetAtt CodeDeployRole.Arn
- If the issue persists, you may need to review the CloudTrail logs to see the exact API calls being made and identify where the permission is being denied.
Remember, when troubleshooting IAM issues, it's always best to start with the principle of least privilege and gradually add permissions as needed, rather than using overly broad permissions.
Sources
Troubleshooting CodePipeline - AWS CodePipeline
CI/CD Pipeline – AWS CodePipeline Features – AWS
Tutorial: Create a pipeline that uses variables from AWS CloudFormation deployment actions - AWS CodePipeline
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 days ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 days ago