Home > Enterprise >  CodePipeline - Deployment failure due to insufficient permission
CodePipeline - Deployment failure due to insufficient permission

Time:12-18

I am getting an insufficient permission error when trying to deploy an application to my AWS Elastic Beanstalk via CodePipeline.

This is the error: Insufficient permissions The provided role does not have sufficient permissions to access Elastic Beanstalk: Access Denied

The weird part is that the policy attached to the CodePipeline's role does have all possible permissions to Beanstalk:

  {
    "Action": "elasticbeanstalk:*",
    "Effect": "Allow",
    "Resource": "*"
  }

I double checked that CodePipeline has the correct role attached and the correct policy is attached to the role.

What missing permission is meant here?

Edit1: I have no other denying policy which could be a conflict...

Edit2: I changed the policy (see below) for testing purposes and it worked, so it has to do with the permissions:

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

CodePudding user response:

Make sure adjacent resources, such as the target S3 bucket (if any) have access to ElasticBeanstalk as well.

See this related question for example.

CodePudding user response:

When you created your pipeline, you should have created a service role. This is created initially by AWS and adds all required permissions. Quoting the documentation:

The service role is not an AWS managed role but is created initially for pipeline creation, and then as new permissions are added to the service role policy, you may need to update the service role for your pipeline. Once your pipeline is created with a service role, you cannot apply a different service role to that pipeline. Attach the recommended policy to the service role.

Then in Manage the CodePipeline service role we read:

The CodePipeline service role is configured with one or more policies that control access to the AWS resources used by the pipeline. You might want to attach more policies to this role, edit the policy attached to the role, or configure policies for other service roles in AWS.

and further down:

You can edit the service role statement to remove access to resources you do not use. For example, if none of your pipelines include Elastic Beanstalk, you can edit the policy statement to remove the section that grants access to Elastic Beanstalk resources.

So to summarize:

  • Before creating the pipeline, create a service role either with CLI or in the Console.
  • This service role is created initially to include all necessary permissions. Permissions for deploying to ElasticBeanstalk should be included.
  • The service role isn't managed by Amazon. This means that, if in the future more permissions are needed to deploy to ElasticBeanstalk, they will not be automatically added here. You will need to add them yourself.
  • You can edit the role to either add new policies needed for your deployments or remove permissions not needed.

It seems that you either haven't created the service role correctly or you have edited the role. Or the pipeline has been created back in the future and now more permissions are needed for Elastic Beanstalk. If it is possible, create a new pipeline from scratch, following the instructions in the documentation. Pay attention to the service role creation step. If you can't do that, again create a new temporary pipeline, create the service role correctly and copy the policy to the old service role. (It isn't possible to change the service role of a created pipeline. You can only attach new policies to it).

  • Related