Deploy step in pipeline build fails with access denied
Hello,
I am following the blog https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-ci-cd-for-aws-appsync-graphql-api-updates.html
The CDK deploy seems to be ok and the build starts of fine. But then, the step DeployAlpha fails with
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: .... S3 Extended Request ID: ....; Proxy: null)
The only thing I have changed compared to the provided code in the blog (or the version in github) is to change the github branch name from main to 'm a s t e r' (ignore the spaces - apparently the name of the branch is no longer allowed not even in a post)
Would anyone have any tips on how to get this fixed?
Tx!
Peter
Hi Peter,
The S3 access denied appears to be to the PipelineAsset bucket (ex: pipelinestack-pipelineartifactsbucketaea9a052-xxxxxxbb1c), but the executing role for the 'DeployAlpha' 'AppsyncCdkAppStack.Prepare' uses 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-cfn-exec-role-xxxxxxxxxxxxx-us-west-2'. Looking at the permissions for this role, I can see that it does not have GetObject access to the above pipeline asset bucket. As a test, manually and temporarily adding S3 GetObject permissions to the pipelinestack-pipelineartifactsbucket for this role will allow the pipeline to succeed.
Note that this sample uses an older CDK version and updating to the latest will change how to run this sample; the methods used in this sample are deprecated.
Hi Peter, Just following up. Did my comments help unblock you?
Sorry for the delay (getting caught up in other things). It's still not working. I even gave public access to the pipeline bucket but the same error is thrown
Peter
So I tracked down the deployment artefact in the bucket that was given the problem. I also gave public access to that and then it looks like the pipeline continues a bit further. However, next problem
"Failed to assume service-linked role ...aws-service-role/appsync.amazonaws.com/AWSServiceRoleForAppSync, please retry. (Service: AWSAppSync; Status Code: 403; Error Code: AccessDeniedException; Request ID: 26297786-44f1-4763-b38f-a0d27154b013; Proxy: null)" Seems to happen when trying to create the dynamodb table
To summarize. After upgrading to version aws-cdk libs version 1.138.0 (the latest 1.x for now) and some weird struggles with npm versions it eventually started working...which is nice What I don't understand is how people actually develop in such an environment. This (really small) build pipeline takes ~10 minutes or so and depending on what part one is developing for there is really no escape from running your code inside aws. A 10 minute tdd cycle does not make sense whatsoever, and then I have not thought through what it would mean to debug issues.
Any tips anyone?
Relevant questions
Stack [lambda-pipeline-stack] does not exist
asked 3 years agocontinuous integration with aws
Accepted Answerasked 3 years agoAWS Console Build Problem
asked 3 years agoDeploy step in pipeline build fails with access denied
asked 5 months agoCan't download file from S3 bucket in another account
asked 2 years agoCross account ecs fargate blue/green deploy from code pipeline
asked 5 months agoCodepipeline got stuck with deploy "in progress" ... but deploy was done
asked 3 months agoHow to use AWS CDK to compile and deploy a typescript api with dependencies to lambda?
asked 4 months agoHow to deploy 4 lambdas in typescript using a code pipeline ?
asked 2 months agoCreating Data Pipeline using Template
asked a month ago
Hello, thanks for replying! I will test your proposal asap and provide feedback here.