Error Access Denied (403) in Amazon S3 during Pipeline Code Deployment

0

I encountered an issue while deploying my pipeline code to Staging Account, and I'm seeking assistance to resolve it. Here are the details: Pls help!!!!!!!

Error Message:

Error message
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: RW6KTNQZN1E7W10J; S3 Extended Request ID: Nhqlu9PX25D83xuFHzik2Sp6vgjCU5y3r84J3N+aTdnxDHdUuvWPfhhWgzYnVZgfQCh8Ck62SAkEGk1FXmfB04VTR2D8TdoPHdPZRF/w5rM=; Proxy: null)

Enter image description here

Here my Permissioning

Tooling Account

 CodePipelineS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    DependsOn: [CodePipelineS3Bucket, CodePipelineToolChainRole, XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
    Properties:
      Bucket: !Ref CodePipelineS3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Id: SSEAndSSLPolicy
        Statement:
        # Statement:  [Allows CodePipelineToolChainRole & CICDDeploymentRole to put item in the S3 Bucket]
        - Sid: WhitelistedGetListandPut
          Effect: Allow
          Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
          Action: ['s3:GetBucket*', 's3:Put*', 's3:GetObject*', 's3:List*']
          Condition: {'Bool': {'aws:SecureTransport': false}} #[Restricts actions for requests using HTTP.]
          Principal: #["Principal" specifies the AWS identity or IAM role with access permissions.] 
            AWS:
            - !GetAtt PipelineServiceRole.Arn
            - !GetAtt CrossAccountDeploymentRole.Arn
            - !Sub "arn:aws:iam::${StagingAccountID}:root"
            - !Sub "arn:aws:iam::${ProductionAccountID}:root"
            - !Sub "arn:aws:iam::${StagingAccountID}:role/DeploymentRole"
            - !Sub "arn:aws:iam::${ProductionAccountID}:role/DeploymentRole"
  #-------- [CodePipelineToolChainRolePolicy] --------##
  # Note: Seprate (CodePipelineToolChainRole) Policy from the Role to Avoid (circular dependency)
  CodePipelineToolChainRolePolicy:
    Type: 'AWS::IAM::Policy'
    DeletionPolicy: Delete
    DependsOn: [XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
    Properties:
      PolicyName: !Sub '${AppID}CodePipelineToolChainRolePolicy'
      Roles: [!Ref CodePipelineToolChainRole]
      PolicyDocument:
        Statement:
        # Statement:  [Allow CodePipelineToolChainRole to perform * actions on specified resources]
        - Action:
          - "*"
          Effect: Allow
          Resource:
          - Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
          - Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
          - Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
          - Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
          - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
          - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
        # Statement: [Allow CodePipelineToolChainRole to assume XacctCICDDeploymentRole]
        - Effect: Allow
          Action: sts:AssumeRole
          Resource:
          - !GetAtt CrossAccountDeploymentRole.Arn
          - !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
        - Effect: Allow
          Action: ["iam:PassRole"]
          Resource:
          - !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
          - !GetAtt CrossAccountDeploymentRole.Arn
          - !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
        # Statement:  [Allow CodePipelineToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
        - Effect: Allow
          Resource: "*"
          Action:
          - cloudtrail:CreateTrail
          - cloudtrail:StartLogging
          - logs:CreateLogGroup
          - logs:CreateLogStream
          - logs:DescribeLogGroups
          - logs:PutLogEvents
  • STAGING AND PROD ACCOUNT ROLES

DeploymentRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: !Sub 'DeploymentRole'
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com, codedeploy.amazonaws.com]
            AWS:
            - !Sub "arn:aws:iam::${ToolingAccountID}:root"
            - !Sub "arn:aws:iam::${ToolingAccountID}:role/DeploymentRole"
            - !Sub "arn:aws:iam::${ToolingAccountID}:role/PipelineServiceRole" 
        # Statement:  [Allow Cloudformation to be able to Assume the Role]
        - Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codedeploy.amazonaws.com]
      Path: /
      #Note: (Policies Property Must be of type List)

  DeploymentRolePipelineS3AccessPolicy:
    Type: 'AWS::IAM::Policy'
    DeletionPolicy: Delete
    DependsOn: [DeploymentRole]
    Properties:
      PolicyName: !Sub 'DeploymentRolePipelineS3AccessPolicy'
      Roles: [!Ref DeploymentRole]
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        # Statement:  [Allow for CICD Pipeline S3 Action]
        - Effect: Allow
          Action: ['s3:GetBucket*', 's3:ListBucket', 's3:GetObject*', 's3:Put*']
          Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
        - Effect: Allow
          Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:Decrypt', 'kms:DescribeKey', 'kms:GenerateDataKey*']
          Resource: [!Ref CodePipelineKMSKeyARN]
1 Respuesta
3
Respuesta aceptada

The "Access Denied (403)" error you encountered while deploying your pipeline code to the Staging Account indicates that there might be an issue with the permissions or the IAM roles involved in the process. Here are some potential challenges and reasons for this error:

  1. The condition 'Bool': {'aws:SecureTransport': false} should be aligned when you put the Effect : Deny So change it to true - https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule
  2. Principal in Bucket Policy:
  • Make sure the Principal section in the bucket policy includes the correct IAM roles and accounts that need access. This includes:
  • PipelineServiceRole.Arn
  • CrossAccountDeploymentRole.Arn
  • arn:aws:iam::${StagingAccountID}:role/DeploymentRole
  • Ensure the StagingAccountID and the roles are correctly referenced.
  1. KMS Key Resource Level Policy
  • Go to the KMS Key and Ensure the key policy includes permissions for the roles from the Tooling, Staging, and Production accounts to use the key.
AWS
respondido hace 3 meses
profile picture
EXPERTO
revisado hace 3 meses
profile pictureAWS
EXPERTO
revisado hace 3 meses
profile picture
EXPERTO
revisado hace 3 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas