How do I resolve authentication errors during CodeBuild with GitHub Actions integration?

3 minute read

I configured my AWS CodeBuild project with GitHub Action as a source provider. However, it fails when the build starts the Download_Source phase.

Short description

You must include the CodeBuild project name to invoke jobs with the correct project settings. The following errors occur when you don't have authentication and your CodeBuild project fails at the Download_Source phase:

"CLIENT_ERROR: authentication required for primary source"

"CLIENT_ERROR: authorization failed for primary source and source version:"

To resolve these errors, identify the authentication method used, and then configure the required settings and permissions.

Resolution

To determine which method you use to connect CodeBuild to GitHub, complete the following steps:

Open the CodeBuild console.
In the navigation pane, expand Build, and then choose Build projects.
Select your build project, and then choose Edit.
In the Source section, review the Credential message to identify the authentication method used.

For personal access tokens

To verify that your personal access token exists and is valid, take the following actions:

Check your GitHub Developer settings. For more information, see Managing your personal access tokens on the GitHub Docs website.
Make sure that you correctly configured your personal access token with the access token prerequisites.
If your personal access tokens are expired, then regenerate the authentication tokens and update the tokens in AWS Secrets Manager.

For Secrets Manager secret

To verify that your Secrets Manager secret exists and isn't expired, take the following actions:

If you're connected through a Secrets Manager secret, then check that the secret exists and the value is up to date.
Confirm that your CodeBuild project service role has the secretsmanager:GetSecretValue to fetch the secrets.

To check if you have the secretsmanager:GetSecretValue permissions, obtain the CodeBuild project's service role. Complete the following steps:

Open the CodeBuild console.
Select the project, and then choose the Project details tab.
In the Environment configuration, choose the Service role setting.
Select the service role.

Confirm that the role has the following permissions:

"Action": [
  "secretsmanager:GetSecretValue"
],
"Resource": [
   "arn:aws:secretsmanager:region:account-id:secret:secretName"
            ]

Note: Replace region with your AWS Region, account-ID with your AWS account ID, and secretName with your secret name.

For OAuth applications

Your OAuth token is tied to the GitHub user. If the GitHub user is removed from the organization, then the token is no longer valid. To review your authorized OAuth applications, confirm that the Applications list on GitHub includes the AWS CodeBuild (region) application that aws-codesuite owns.

For CodeConnections

To verify that CodeConnections exist and are valid, take the following actions:

Confirm that you installed the AWS Connector for GitHub application. For more information, see Navigating to the GitHub App you want to review or modify on the GitHub Docs website.
Confirm that the CodeBuild service role has the correct AWS Identity and Access Management (IAM) role permissions.

Related information

GitHub OAuth app

GitHub and GitHub Enterprise Server access in CodeBuild

Change build project settings in AWS CodeBuild

Topics: Developer Tools
Tags: AWS CodeBuild
Language: English

AWS OFFICIALUpdated a month ago

No comments

Relevant content

Issue with CodeBuild Runner for GitHub Actions – "YAML file does not exist"
Hamza
asked 8 months ago
Codebuild as Github Actions Runner - Error when extracting the runner
Gregory Germanaud
asked 4 months ago
How do you integrate a CodeStar connection with Github status checks?
rePost-User-8472021
asked 2 years ago
Using AWS Codebuild as Github Actions Runner(Github Enterprise) returns an error
aws-lmayorga
asked a year ago
AWS Codebuild error while adding github as source
rePost-User-4018617
asked a year ago
How do I resolve the "error pulling image configuration: toomanyrequests" error when I use Docker images in AWS CodeBuild?
AWS OFFICIALUpdated 3 years ago
How do I resolve "error: You must be logged in to the server (Unauthorized)" errors when connecting to an Amazon EKS cluster from CodeBuild?
AWS OFFICIALUpdated 4 years ago
How do I integrate an API Gateway REST API with Amazon SQS and resolve common errors?
AWS OFFICIALUpdated 11 days ago
How do I troubleshoot API Gateway REST API endpoint 403 "Missing Authentication Token" errors?
AWS OFFICIALUpdated 7 months ago
How to configure multi-tenant access control for repositories within a GitHub organization to facilitate isolated access and usage by different AWS account CodeBuild Service
EXPERT
Wei
published a year ago