I encountered an issue while deploying my pipeline code to Staging Account, and I'm seeking assistance to resolve it. Here are the details:
Pls help!!!!!!!
Error Message:
Error message
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: RW6KTNQZN1E7W10J; S3 Extended Request ID: Nhqlu9PX25D83xuFHzik2Sp6vgjCU5y3r84J3N+aTdnxDHdUuvWPfhhWgzYnVZgfQCh8Ck62SAkEGk1FXmfB04VTR2D8TdoPHdPZRF/w5rM=; Proxy: null)
Here my Permissioning
Tooling Account
CodePipelineS3BucketPolicy:
Type: AWS::S3::BucketPolicy
DeletionPolicy: Delete
DependsOn: [CodePipelineS3Bucket, CodePipelineToolChainRole, XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
Properties:
Bucket: !Ref CodePipelineS3Bucket
PolicyDocument:
Version: 2012-10-17
Id: SSEAndSSLPolicy
Statement:
# Statement: [Allows CodePipelineToolChainRole & CICDDeploymentRole to put item in the S3 Bucket]
- Sid: WhitelistedGetListandPut
Effect: Allow
Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
Action: ['s3:GetBucket*', 's3:Put*', 's3:GetObject*', 's3:List*']
Condition: {'Bool': {'aws:SecureTransport': false}} #[Restricts actions for requests using HTTP.]
Principal: #["Principal" specifies the AWS identity or IAM role with access permissions.]
AWS:
- !GetAtt PipelineServiceRole.Arn
- !GetAtt CrossAccountDeploymentRole.Arn
- !Sub "arn:aws:iam::${StagingAccountID}:root"
- !Sub "arn:aws:iam::${ProductionAccountID}:root"
- !Sub "arn:aws:iam::${StagingAccountID}:role/DeploymentRole"
- !Sub "arn:aws:iam::${ProductionAccountID}:role/DeploymentRole"
#-------- [CodePipelineToolChainRolePolicy] --------##
# Note: Seprate (CodePipelineToolChainRole) Policy from the Role to Avoid (circular dependency)
CodePipelineToolChainRolePolicy:
Type: 'AWS::IAM::Policy'
DeletionPolicy: Delete
DependsOn: [XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
Properties:
PolicyName: !Sub '${AppID}CodePipelineToolChainRolePolicy'
Roles: [!Ref CodePipelineToolChainRole]
PolicyDocument:
Statement:
# Statement: [Allow CodePipelineToolChainRole to perform * actions on specified resources]
- Action:
- "*"
Effect: Allow
Resource:
- Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
- Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
- Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
- Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
# Statement: [Allow CodePipelineToolChainRole to assume XacctCICDDeploymentRole]
- Effect: Allow
Action: sts:AssumeRole
Resource:
- !GetAtt CrossAccountDeploymentRole.Arn
- !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
- !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
- !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
- Effect: Allow
Action: ["iam:PassRole"]
Resource:
- !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
- !GetAtt CrossAccountDeploymentRole.Arn
- !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
- !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
- !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
# Statement: [Allow CodePipelineToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
- Effect: Allow
Resource: "*"
Action:
- cloudtrail:CreateTrail
- cloudtrail:StartLogging
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
DeploymentRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: !Sub 'DeploymentRole'
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com, codedeploy.amazonaws.com]
AWS:
- !Sub "arn:aws:iam::${ToolingAccountID}:root"
- !Sub "arn:aws:iam::${ToolingAccountID}:role/DeploymentRole"
- !Sub "arn:aws:iam::${ToolingAccountID}:role/PipelineServiceRole"
# Statement: [Allow Cloudformation to be able to Assume the Role]
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codedeploy.amazonaws.com]
Path: /
#Note: (Policies Property Must be of type List)
DeploymentRolePipelineS3AccessPolicy:
Type: 'AWS::IAM::Policy'
DeletionPolicy: Delete
DependsOn: [DeploymentRole]
Properties:
PolicyName: !Sub 'DeploymentRolePipelineS3AccessPolicy'
Roles: [!Ref DeploymentRole]
PolicyDocument:
Version: '2012-10-17'
Statement:
# Statement: [Allow for CICD Pipeline S3 Action]
- Effect: Allow
Action: ['s3:GetBucket*', 's3:ListBucket', 's3:GetObject*', 's3:Put*']
Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
- Effect: Allow
Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:Decrypt', 'kms:DescribeKey', 'kms:GenerateDataKey*']
Resource: [!Ref CodePipelineKMSKeyARN]