Deploy step in pipeline build fails with access denied
The CDK deploy seems to be ok and the build starts of fine. But then, the step DeployAlpha fails with
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: .... S3 Extended Request ID: ....; Proxy: null)
The only thing I have changed compared to the provided code in the blog (or the version in github) is to change the github branch name from main to 'm a s t e r' (ignore the spaces - apparently the name of the branch is no longer allowed not even in a post)
Would anyone have any tips on how to get this fixed?
The S3 access denied appears to be to the PipelineAsset bucket (ex: pipelinestack-pipelineartifactsbucketaea9a052-xxxxxxbb1c), but the executing role for the 'DeployAlpha' 'AppsyncCdkAppStack.Prepare' uses 'arn:aws:iam::xxxxxxxxxxxx:role/cdk-hnb659fds-cfn-exec-role-xxxxxxxxxxxxx-us-west-2'. Looking at the permissions for this role, I can see that it does not have GetObject access to the above pipeline asset bucket. As a test, manually and temporarily adding S3 GetObject permissions to the pipelinestack-pipelineartifactsbucket for this role will allow the pipeline to succeed.
Note that this sample uses an older CDK version and updating to the latest will change how to run this sample; the methods used in this sample are deprecated.
Hello, thanks for replying! I will test your proposal asap and provide feedback here.
Hi Peter, Just following up. Did my comments help unblock you?
Sorry for the delay (getting caught up in other things). It's still not working. I even gave public access to the pipeline bucket but the same error is thrown
So I tracked down the deployment artefact in the bucket that was given the problem. I also gave public access to that and then it looks like the pipeline continues a bit further. However, next problem
"Failed to assume service-linked role ...aws-service-role/appsync.amazonaws.com/AWSServiceRoleForAppSync, please retry. (Service: AWSAppSync; Status Code: 403; Error Code: AccessDeniedException; Request ID: 26297786-44f1-4763-b38f-a0d27154b013; Proxy: null)" Seems to happen when trying to create the dynamodb table
To summarize. After upgrading to version aws-cdk libs version 1.138.0 (the latest 1.x for now) and some weird struggles with npm versions it eventually started working...which is nice What I don't understand is how people actually develop in such an environment. This (really small) build pipeline takes ~10 minutes or so and depending on what part one is developing for there is really no escape from running your code inside aws. A 10 minute tdd cycle does not make sense whatsoever, and then I have not thought through what it would mean to debug issues.
Any tips anyone?
Stack [lambda-pipeline-stack] does not existasked 3 years ago
continuous integration with awsAccepted Answerasked 3 years ago
AWS Console Build Problemasked 3 years ago
Deploy step in pipeline build fails with access deniedasked 5 months ago
Can't download file from S3 bucket in another accountasked 2 years ago
Cross account ecs fargate blue/green deploy from code pipelineasked 5 months ago
Codepipeline got stuck with deploy "in progress" ... but deploy was doneasked 3 months ago
How to use AWS CDK to compile and deploy a typescript api with dependencies to lambda?asked 4 months ago
How to deploy 4 lambdas in typescript using a code pipeline ?asked 2 months ago
Creating Data Pipeline using Templateasked a month ago