Hi, I am having an issue with a CodePipeline. I receive this error:
This error occurs before the deploy is actually triggered in CodeDeploy, so now deploy is created. I've read various things online about this error message, but most describe issues inside the CodeDeploy configuration, as opposed to my instance that happens before the CodeDeploy is triggered. Also, this specific error message does not seem to appear anywhere on the internet.
Here is the policy for the KMS key:
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXX:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXX:role/service-role/appName-pipeline-role",
"arn:aws:iam::XXX:role/service-role/appName-build-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXX:role/service-role/appName-pipeline-role",
"arn:aws:iam::XXX:role/service-role/appName-build-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
Here is the policy for the bucket:
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketName/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketName/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "allow-secondary-account-access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::YYY:root",
"arn:aws:iam::YYY:role/appName-deployer-role"
]
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::bucketName/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YYY:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketName"
}
]
}
I've definitely reviewed that blog post and similar ones. Look closely at their error message: It is not the same as the one I am getting. I've also gotten that error message, and it was in fact because the artifact did not exist. This is a very different error message, which is why I'm calling out specifically.
As far as I can tell, everything has access. the pipeline and the build are all configured with the same bucket and KMS key, so i'm not sure how the build could produce an artifact that is inaccessible by the pipeline.
To continue on this point, The codeDeploy does not use the artifact, it is only used by Deploy step of the CodePipeline. So this is an issue with the pipeline being able to access the artifact produced by the build. I can confirm that the build and the pipeline are both using the same bucket and kms key.
Is there any way to debug this further? Can a pipeline be configured to provide more verbose logging to cloudwatch?
If you do an exact string search you'll see how rare this error message is: https://www.google.com/search?q=%22You+are+missing+permissions+to+access+input+artifact%22
Even the wording is strange, who is "you" in this error message? My user account? The Pipeline role? its a strange way to word an error message like this
I added policies for the kms key and the s3 bucket