Receive error message "You are missing permissions to access input artifact: (artifact name)."

0

Hi, I am having an issue with a CodePipeline. I receive this error:

Screenshot of error message You are missing permissions to access input artifact

This error occurs before the deploy is actually triggered in CodeDeploy, so now deploy is created. I've read various things online about this error message, but most describe issues inside the CodeDeploy configuration, as opposed to my instance that happens before the CodeDeploy is triggered. Also, this specific error message does not seem to appear anywhere on the internet.

Here is the policy for the KMS key:

{
  "Id": "key-consolepolicy-3",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXX:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXX:role/service-role/appName-pipeline-role",
          "arn:aws:iam::XXX:role/service-role/appName-build-role"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXX:role/service-role/appName-pipeline-role",
          "arn:aws:iam::XXX:role/service-role/appName-build-role"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

Here is the policy for the bucket:

{
  "Version": "2012-10-17",
  "Id": "SSEAndSSLPolicy",
  "Statement": [
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucketName/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyInsecureConnections",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucketName/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Sid": "allow-secondary-account-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::YYY:root",
          "arn:aws:iam::YYY:role/appName-deployer-role"
        ]
      },
      "Action": [
        "s3:Get*",
        "s3:Put*"
      ],
      "Resource": "arn:aws:s3:::bucketName/*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YYY:root"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::bucketName"
    }
  ]
}
1 Answer
-1

Hi, this is usually caused by insufficient permission to access your artifact in S3 . So, you should check your permissions to see if you've enough right (after validating that the artefact itself exists)

Other possible causes are described in https://medium.com/@shanikae/insufficient-permissions-unable-to-access-the-artifact-with-amazon-s3-247f27e6cdc3

profile pictureAWS
EXPERT
answered 9 months ago
  • I've definitely reviewed that blog post and similar ones. Look closely at their error message: It is not the same as the one I am getting. I've also gotten that error message, and it was in fact because the artifact did not exist. This is a very different error message, which is why I'm calling out specifically.

    As far as I can tell, everything has access. the pipeline and the build are all configured with the same bucket and KMS key, so i'm not sure how the build could produce an artifact that is inaccessible by the pipeline.

  • To continue on this point, The codeDeploy does not use the artifact, it is only used by Deploy step of the CodePipeline. So this is an issue with the pipeline being able to access the artifact produced by the build. I can confirm that the build and the pipeline are both using the same bucket and kms key.

  • Is there any way to debug this further? Can a pipeline be configured to provide more verbose logging to cloudwatch?

  • If you do an exact string search you'll see how rare this error message is: https://www.google.com/search?q=%22You+are+missing+permissions+to+access+input+artifact%22

    Even the wording is strange, who is "you" in this error message? My user account? The Pipeline role? its a strange way to word an error message like this

  • I added policies for the kms key and the s3 bucket

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions