By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Deploy step in pipeline build fails with access denied

0

Hello,

I am following the blog https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-ci-cd-for-aws-appsync-graphql-api-updates.html

The CDK deploy seems to be ok and the build starts of fine. But then, the step DeployAlpha fails with

Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: .... S3 Extended Request ID: ....; Proxy: null)

The only thing I have changed compared to the provided code in the blog (or the version in github) is to change the github branch name from main to 'm a s t e r' (ignore the spaces - apparently the name of the branch is no longer allowed not even in a post)

Would anyone have any tips on how to get this fixed?

Tx!

Peter

Topics
Developer ToolsServerlessFront-End Web & MobileApplication Integration
Tags
AWS CodeBuildAWS AppSyncAWS CodePipeline
Language
English
Peter
asked 2 years ago1506 views
3 Answers
1

Hi Peter,

The S3 access denied appears to be to the PipelineAsset bucket (ex: pipelinestack-pipelineartifactsbucketaea9a052-xxxxxxbb1c), but the executing role for the 'DeployAlpha' 'AppsyncCdkAppStack.Prepare' uses 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-cfn-exec-role-xxxxxxxxxxxxx-us-west-2'. Looking at the permissions for this role, I can see that it does not have GetObject access to the above pipeline asset bucket. As a test, manually and temporarily adding S3 GetObject permissions to the pipelinestack-pipelineartifactsbucket for this role will allow the pipeline to succeed.

Note that this sample uses an older CDK version and updating to the latest will change how to run this sample; the methods used in this sample are deprecated.

AWS
Ryan_J
answered 2 years ago
  • Peter
    2 years ago

    Hello, thanks for replying! I will test your proposal asap and provide feedback here.

  • Ryan_J
    2 years ago

    Hi Peter, Just following up. Did my comments help unblock you?

0

Sorry for the delay (getting caught up in other things). It's still not working. I even gave public access to the pipeline bucket but the same error is thrown

Peter

Peter
answered 2 years ago
  • Peter
    2 years ago

    So I tracked down the deployment artefact in the bucket that was given the problem. I also gave public access to that and then it looks like the pipeline continues a bit further. However, next problem

    "Failed to assume service-linked role ...aws-service-role/appsync.amazonaws.com/AWSServiceRoleForAppSync, please retry. (Service: AWSAppSync; Status Code: 403; Error Code: AccessDeniedException; Request ID: 26297786-44f1-4763-b38f-a0d27154b013; Proxy: null)" Seems to happen when trying to create the dynamodb table

0

To summarize. After upgrading to version aws-cdk libs version 1.138.0 (the latest 1.x for now) and some weird struggles with npm versions it eventually started working...which is nice What I don't understand is how people actually develop in such an environment. This (really small) build pipeline takes ~10 minutes or so and depending on what part one is developing for there is really no escape from running your code inside aws. A 10 minute tdd cycle does not make sense whatsoever, and then I have not thought through what it would mean to debug issues.

Any tips anyone?

Peter
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content