Error Access Denied (403) in Amazon S3 during Pipeline Code Deployment

0

I encountered an issue while deploying my pipeline code to Staging Account, and I'm seeking assistance to resolve it. Here are the details: Pls help!!!!!!!

Error Message:

Error message
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: RW6KTNQZN1E7W10J; S3 Extended Request ID: Nhqlu9PX25D83xuFHzik2Sp6vgjCU5y3r84J3N+aTdnxDHdUuvWPfhhWgzYnVZgfQCh8Ck62SAkEGk1FXmfB04VTR2D8TdoPHdPZRF/w5rM=; Proxy: null)

Enter image description here

Here my Permissioning

Tooling Account

 CodePipelineS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    DependsOn: [CodePipelineS3Bucket, CodePipelineToolChainRole, XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
    Properties:
      Bucket: !Ref CodePipelineS3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Id: SSEAndSSLPolicy
        Statement:
        # Statement:  [Allows CodePipelineToolChainRole & CICDDeploymentRole to put item in the S3 Bucket]
        - Sid: WhitelistedGetListandPut
          Effect: Allow
          Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
          Action: ['s3:GetBucket*', 's3:Put*', 's3:GetObject*', 's3:List*']
          Condition: {'Bool': {'aws:SecureTransport': false}} #[Restricts actions for requests using HTTP.]
          Principal: #["Principal" specifies the AWS identity or IAM role with access permissions.] 
            AWS:
            - !GetAtt PipelineServiceRole.Arn
            - !GetAtt CrossAccountDeploymentRole.Arn
            - !Sub "arn:aws:iam::${StagingAccountID}:root"
            - !Sub "arn:aws:iam::${ProductionAccountID}:root"
            - !Sub "arn:aws:iam::${StagingAccountID}:role/DeploymentRole"
            - !Sub "arn:aws:iam::${ProductionAccountID}:role/DeploymentRole"
  #-------- [CodePipelineToolChainRolePolicy] --------##
  # Note: Seprate (CodePipelineToolChainRole) Policy from the Role to Avoid (circular dependency)
  CodePipelineToolChainRolePolicy:
    Type: 'AWS::IAM::Policy'
    DeletionPolicy: Delete
    DependsOn: [XacctCICDDeploymentRole, CICDDeploymentRoleStackSet]
    Properties:
      PolicyName: !Sub '${AppID}CodePipelineToolChainRolePolicy'
      Roles: [!Ref CodePipelineToolChainRole]
      PolicyDocument:
        Statement:
        # Statement:  [Allow CodePipelineToolChainRole to perform * actions on specified resources]
        - Action:
          - "*"
          Effect: Allow
          Resource:
          - Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
          - Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
          - Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
          - Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
          - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
          - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
        # Statement: [Allow CodePipelineToolChainRole to assume XacctCICDDeploymentRole]
        - Effect: Allow
          Action: sts:AssumeRole
          Resource:
          - !GetAtt CrossAccountDeploymentRole.Arn
          - !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
        - Effect: Allow
          Action: ["iam:PassRole"]
          Resource:
          - !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
          - !GetAtt CrossAccountDeploymentRole.Arn
          - !Sub arn:aws:iam::${ToolingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${StagingAccountID}:role/CICDDeploymentRole
          - !Sub arn:aws:iam::${ProductionAccountID}:role/CICDDeploymentRole
        # Statement:  [Allow CodePipelineToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
        - Effect: Allow
          Resource: "*"
          Action:
          - cloudtrail:CreateTrail
          - cloudtrail:StartLogging
          - logs:CreateLogGroup
          - logs:CreateLogStream
          - logs:DescribeLogGroups
          - logs:PutLogEvents
  • STAGING AND PROD ACCOUNT ROLES

DeploymentRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: !Sub 'DeploymentRole'
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com, codedeploy.amazonaws.com]
            AWS:
            - !Sub "arn:aws:iam::${ToolingAccountID}:root"
            - !Sub "arn:aws:iam::${ToolingAccountID}:role/DeploymentRole"
            - !Sub "arn:aws:iam::${ToolingAccountID}:role/PipelineServiceRole" 
        # Statement:  [Allow Cloudformation to be able to Assume the Role]
        - Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codedeploy.amazonaws.com]
      Path: /
      #Note: (Policies Property Must be of type List)

  DeploymentRolePipelineS3AccessPolicy:
    Type: 'AWS::IAM::Policy'
    DeletionPolicy: Delete
    DependsOn: [DeploymentRole]
    Properties:
      PolicyName: !Sub 'DeploymentRolePipelineS3AccessPolicy'
      Roles: [!Ref DeploymentRole]
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        # Statement:  [Allow for CICD Pipeline S3 Action]
        - Effect: Allow
          Action: ['s3:GetBucket*', 's3:ListBucket', 's3:GetObject*', 's3:Put*']
          Resource: [!Sub "arn:aws:s3:::${CodePipelineS3Bucket}", !Sub "arn:aws:s3:::${CodePipelineS3Bucket}/*"]
        - Effect: Allow
          Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:Decrypt', 'kms:DescribeKey', 'kms:GenerateDataKey*']
          Resource: [!Ref CodePipelineKMSKeyARN]
1 Answer
3
Accepted Answer

The "Access Denied (403)" error you encountered while deploying your pipeline code to the Staging Account indicates that there might be an issue with the permissions or the IAM roles involved in the process. Here are some potential challenges and reasons for this error:

  1. The condition 'Bool': {'aws:SecureTransport': false} should be aligned when you put the Effect : Deny So change it to true - https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule
  2. Principal in Bucket Policy:
  • Make sure the Principal section in the bucket policy includes the correct IAM roles and accounts that need access. This includes:
  • PipelineServiceRole.Arn
  • CrossAccountDeploymentRole.Arn
  • arn:aws:iam::${StagingAccountID}:role/DeploymentRole
  • Ensure the StagingAccountID and the roles are correctly referenced.
  1. KMS Key Resource Level Policy
  • Go to the KMS Key and Ensure the key policy includes permissions for the roles from the Tooling, Staging, and Production accounts to use the key.
AWS
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions