AWS Codebuild fails while downloading source. Message: Access Denied

Question

I created a CodeBuild Project that uses a docker image for node8. The purpose of this CodeBuild project is to do unit testing. It takes an input artifact from CodeCommit. And in the buildspec.yml it runs a test command.

This is my (simple) buildspec file:

version: 0.2

phases:
  install:
    commands:
     - echo "install phase started"
     - npm install
     - echo "install phase ended"
  pre_build: 
    commands:
     - echo "pre_build aka test phase started"
     - echo "mocha unit test"
     - npm test
     - echo "mocha unit test ended"
  build:
    commands:
     - echo "build phase started"
     - echo "build complete"

The build is failing at the DOWNLOAD_SOURCE phase with the following:

PHASE - DOWNLOAD_SOURCE

Start time 2 minutes ago

End time 2 minutes ago

Message Access Denied

The only logs in the build logs are the following

[Container] 2018/01/12 11:30:22 Waiting for agent ping

[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE

Thanks in advance.

Screenshot of the CodeBuild policies.

Can you post the policy for the IAM role you're using for the CodeBuild project? — Clare Liguori, Jan 12 '18 at 22:43
Are all of these policies attached to the role used in your CodeBuild project? "Access Denied" during Download Source makes me think the policy doesn't have a permission like codecommit:GitPull or s3:GetObject. — Clare Liguori, Jan 15 '18 at 18:25

score 12 · Accepted Answer · edited Sep 25 '19 at 00:36

I found a fix. It was a problem with my permissions. I added this to make it work.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
            "arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::codepipeline-eu-west-1-*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters"
        ],
        "Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
    }
  ]
}

score 3 · Answer 2 · answered Jul 28 '18 at 00:12

I had similar error and will post my fix in case it helps anyone else. I was using CodePipeline and had two separate builds happening. Build #1 would complete its build and the output artifact for that was to be the input artifact for Build #2. Build #2 was failing on the the DOWNLOAD_SOURCE phase with the following error:

AccessDenied: Access Denied status code: 403

The problem was that in my build spec for Build #1, I didn't have the artifacts defined. After calling out the artifact files/folders in Build #1, then Build #2 was able to download the source without issue.

Kim T · Answer 3 · 2020-06-11T01:50:56.570

I had the same error, a permissions issue accessing S3 bucket url. Originally I used an auto-generated codepipeline-us-west-2-* bucket name with the policy:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::codepipeline-us-west-2-*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

After changing to my own bucket name, the policy had to be updated to:

{
  "Effect": "Allow",
  "Resource": [
      "arn:aws:s3:::project-name-files/*"
  ],
  "Action": [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation"
  ]
}

Suresh · Answer 4 · 2020-11-24T05:48:06.070

0

I faced the same issue.

My source was from an S3 folder. The fix involved putting a / at the end of the source path. It seems that without the / CodeBuild thinks it is a key.

Hope this helps someone save time.

edited Nov 24 '20 at 05:48

answered Jul 19 '20 at 06:31

Suresh

186
1
9

1

Where was the / missing from? – JasonlPrice Nov 21 '20 at 13:22
/ at the end of the source path. (Corrected) – Suresh Nov 24 '20 at 05:47

score 0 · Answer 5 · answered Oct 14 '20 at 05:07

I was experiencing the same symptoms but my issue was due to the default encryption on the S3 bucket as described in this post.

So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.

In my case, the keys that were being used were mismatched which was causing the decryption failure.

AWS Codebuild fails while downloading source. Message: Access Denied

5 Answers5

Linked