AWS Error: "Access Denied" in CodeDeploy after Jenkins build AWS Error: "Access Denied" in CodeDeploy after Jenkins build jenkins jenkins

AWS Error: "Access Denied" in CodeDeploy after Jenkins build


jenkins amazon-s3 aws-code-deploy

There are typically two scenarios in the CodeDeploy setup... the part that 'creates' the deployment (typically your CI server/build agent) and the CodeDeploy agent that runs on the target instance(s) and does the actual deployment. The first half is essentially pushing into the CodeDeployment and the second half is pulling from it... that's how I like to visualize it.

For the CI server/build agents, they should have an IAM role with permissions like follows... This allows the build agent to (1) access the S3 bucket you've designated for deployment and (2) access the CodeDeploy service to create revisions, etc.

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Action": [                "s3:ListAllMyBuckets"            ],            "Resource": "arn:aws:s3:::*"        },        {            "Effect": "Allow",            "Action": [                "s3:PutObject"            ],            "Resource": "arn:aws:s3:::YourDeploymentBucket"        },        {            "Effect": "Allow",            "Action": [                "codedeploy:*"            ],            "Resource": "*"        }    ]}

On the target EC2 instances, they need to have something like this... This gives the CodeDeploy agent service (1) access to the S3 bucket to pull the revision and (2) access to all the generic code-deploy buckets so the agent can update itself. Of course, those instances need to meet all other criteria... generally, they need an IAM role and need to have the code deploy agent installed.

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Action": [                "s3:Get*",                "s3:List*"            ],            "Resource": [                "arn:aws:s3:::YourDeploymentBucket/*",                "arn:aws:s3:::aws-codedeploy-us-east-1/*",                "arn:aws:s3:::aws-codedeploy-us-west-1/*",                "arn:aws:s3:::aws-codedeploy-us-west-2/*",                "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",                "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",                "arn:aws:s3:::aws-codedeploy-ap-south-1/*",                "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",                "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",                "arn:aws:s3:::aws-codedeploy-eu-central-1/*",                "arn:aws:s3:::aws-codedeploy-eu-west-1/*",                "arn:aws:s3:::aws-codedeploy-sa-east-1/*"            ]        }    ]}

How you assign these permission is up to you... if your build agents are EC2 instances, it would be best to assign these as a Policy attached to the IAM role associated with the instance(s). For the target deployment machines, you would do the same... create a policy and assign that to the IAM roles associated with the instances that you want to target.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last