By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CDK Stck Failed to publish one or more assets Access Denied

0

Hi All,

In My BuildProject/BuildSpec (in my STG Account), I run this command :

  • cdk deploy --require-approval never

it gives me this error :

myStack: deploying...
[0%] start: Publishing e988sdsf934da0d45effe675sdscb946f3e1sds68:current
[0%] check: Check s3://cdk-hnb65dds-assets-xxxxxxxx-cregion/assets/e9882ab1236873df4sdfeffe67sdfc8ce13bsdff3e1d6sdf8d68.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnsd59fds-assets-xxxxxxxx-region","Prefix":"assets/e98ssdfsd87dsffsdffdsfcc8sdsdfdd6141fsdd68.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[33%] fail: Access Denied
[33%] start: Publishing c24b999656e4fe6c609c31dfadffbcdfdfc2c86df:current
[33%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/c24b999656e4fe6c609c31dfadffbcdfdfc2c86df.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[66%] fail: Access Denied
[66%] start: Publishing werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer:current
[66%] check: Check s3://cdk-hnb659fds-assets-xxxxxxxx-cregion/assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip
Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-xxxxxxxx-cregion","Prefix":"assets/werer56e4fe6c609c3ewrd17a4d9c3afwr6b8c2wer.zip","MaxKeys":1}) => Access Denied (code=AccessDenied)
[100%] fail: Access Denied

 ❌  myStack failed: Error: Failed to publish one or more assets. See the error messages above for more information.
    at publishAssets (/usr/local/lib/node_modules/aws-cdk/lib/util/asset-publishing.ts:27:11)

How can I give CDK stack running from BuildSpec permission to publish assets?

I already added this policy to my codeBuild service role, but still same issue :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:getBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::cdk*"
            ]
        }
    ]
}

also had this error :

ser: arn:aws:sts::xxxxxx:assumed-role/codebuild-mybp-service-role/AWSCodeBuild-d1acsd11-4sad7-9sada6834ffsadbs is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:region:xxxxxxxx:function:myStack-CustomCDKBucketDeployment-l5dzxcszxA7assa because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: eedf2-03dfdf3-4ddsfd7-bfdg7-2dfsdff5c2dfgd0; Proxy: null)

not sure which lamda he wants to invoke here and why? what are the right permissions for this

Thank you!!

Topics
Developer ToolsDevOps
Tags
AWS CodeBuildAWS CodePipelineAWS CodeCommitDevOps
Language
English
Jess
asked 2 years ago5262 views
2 Answers
1

Without further context around the run which failed on Lambda, it is difficult to speculate, however based on the naming, it looks like it may be part of the stack which you are trying to deploy, as it seems to match the style of CDK-generated names.

As for the permissions, CDK normally creates a deployment role in your account as part of the bootstrapping process. I have included a link to the details of this role in the bootstrapping template (1). One potential option here is to specify this role in your CDK CLI call by passing the -r or --role-arn parameter with that role (2). If you are experiencing this issue in an account or region that has not been bootstrapped, then you may just need to bootstrap the account in order to have this deployment role (3)

I hope this helps! If you need more assistance with this, I would encourage you to open a support case with CDK so that we can have a more hands-on look at the current configuration, and can provide more concise advice, securely and one-on-one.

(1) https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L362-L465

(2) https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-ref : AWS CDK Toolkit (<code class="code">cdk</code> command) - Toolkit reference

(3) https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html : Bootstrapping

AWS
SUPPORT ENGINEER
Wayne_G
answered 2 years ago
0
Accepted Answer

I added to my Build project service role the following missing permissions and it works :

1 - S3:listObjects

2- AWSLambdaRole to have the permission to lambda:InvokeFunction

Jess
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content