2

I'm having issues with AWS Code Deploy, it seems to have issues accessing S3, below are the error messages:

2018-04-20 16:52:35 INFO  [codedeploy-agent(2983)]: [Aws::CodeDeployCommand::Client 200 0.023779 0 retries] put_host_command_complete(command_status:"Failed",diagnostics:{format:"JSON",payload:"{\"error_code\":5,\"script_name\":\"\",\"message\":\"Access Denied\",\"log\":\"\"}"},host_command_identifier:"WyJjb20uYW1hem9uLmFwb2xsby5kZXBsb3ljb250cm9sLmRvbWFpbi5Ib3N0Q29tbWFuZElkZW50aWZpZXIiLHsiZGVwbG95bWVudElkIjoiQ29kZURlcGxveS9ldS13ZXN0LTEvUHJvZC9hcm46YXdzOnNkczpldS13ZXN0LTE6OTExODQyOTUzODAzOmRlcGxveW1lbnQvZC1JRUFFQ09NRlMiLCJob3N0SWQiOiJhcm46YXdzOmVjMjpldS13ZXN0LTE6OTExODQyOTUzODAzOmluc3RhbmNlL2ktMDkxMGQzZjI4YWI0OTA2OGQiLCJjb21tYW5kTmFtZSI6IkRvd25sb2FkQnVuZGxlIiwiY29tbWFuZFBvc2l0aW9uIjoyLCJjb21tYW5kQXR0ZW1wdCI6MX1d")  

2018-04-20 16:52:35 ERROR [codedeploy-agent(2983)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error during perform: Aws::S3::Errors::AccessDenied - Access Denied - /opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'

My EC2 instance has been launched with IAM role: CodeDeploy-EC2-Instance-Profile which contains the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::codepipeline-eu-west-1-373398414592"
            ]
        }
    ]
}

From what I have read, this is correct.

I've tried the following:

Removing the AWS credentials file (~/.aws/credentials), just in case there was any conflict between the IAM role and this file. But it made no difference, I still got the above errors.

I also noted that its the 'put_host_command_complete' that's failing so I updated the Actions section of the above policy to have the PUT permissions i.e. 

"Action": [
    "s3:Get*",
    "s3:List*",
    "s3: Put*"
]

but this didn't make any difference either.

Any help appreciated.

Regards, Steve

Improve this question

3 Answers 3

Reset to default
1

I think your resource arn should be like this,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:Get*",
            "s3:List*"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::<your-s3-bucket-name>/*"
        ]
    }
]}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The Get* is what most people are probably missing. The GetObjectVersion is what a pipeline'd object will need.
0

You need to specify the Amazon S3 bucket as the resource in the instance profile role. For more details please check https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html

Improve this answer

Comments

0

I am seeing the same problem. I have a correct instance role selected with permissions to the s3 bucket

2018-07-22 21:50:23 ERROR [codedeploy-agent(1555)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error during perform: Aws::S3::Errors::AccessDenied - Access Denied - /opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_sse_cpk.rb:19:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_dualstack.rb:24:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/s3_accelerate.rb:34:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/idempotency_token.rb:18:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/aws-sdk-core/plugins/param_converter.rb:20:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/plugins/response_target.rb:21:in `call'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/request.rb:70:in `send_request'
/opt/codedeploy-agent/vendor/gems/aws-sdk-core-2.10.104/lib/seahorse/client/base.rb:207:in `block (2 levels) in define_operation_methods'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:274:in `block in download_from_s3'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:269:in `open'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:269:in `download_from_s3'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:82:in `block in <class:CommandExecutor>'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:68:in `execute_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:114:in `process_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:96:in `acknowledge_and_process_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:75:in `block in perform'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:348:in `run_task'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:337:in `block (3 levels) in create_worker'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `loop'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:320:in `block (2 levels) in create_worker'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `catch'
/opt/codedeploy-agent/vendor/gems/concurrent-ruby-1.0.5/lib/concurrent/executor/ruby_thread_pool_executor.rb:319:in `block in create_worker'
/opt/codedeploy-agent/vendor/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context'
2018-07-22 21:50:23 WARN  [codedeploy-agent(1555)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PutHostCommandComplete: "Code Error"
2018-07-22 21:50:23 INFO  [codedeploy-agent(1555)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1518_deb.
2018-07-22 21:50:23 INFO  [codedeploy-agent(1555)]: [Aws::CodeDeployCommand::Client 200 0.034907 0 retries] put_host_command_complete(command_status:"Failed",diagnostics:{format:"JSON",payload:"{\"error_code\":5,\"script_name\":\"\",\"message\":\"Access Denied\",\"log\":\"\"}"},host_command_identifier:"WyJjb20uYW1hem9uLmFwb2xsby5kZXBsb3ljb250cm9sLmRvbWFpbi5Ib3N0Q29tbWFuZElkZW50aWZpZXIiLHsiZGVwbG95bWVudElkIjoiQ29kZURlcGxveS91cy13ZXN0LTIvUHJvZC9hcm46YXdzOnNkczp1cy13ZXN0LTI6NTA4MTc5ODMzNTI0OmRlcGxveW1lbnQvZC1RUVpMU0NIQVUiLCJob3N0SWQiOiJhcm46YXdzOmVjMjp1cy13ZXN0LTI6NTA4MTc5ODMzNTI0Omluc3RhbmNlL2ktMDI0ZjEzMzE5NmE2ZjgxYzMiLCJjb21tYW5kTmFtZSI6IkRvd25sb2FkQnVuZGxlIiwiY29tbWFuZFBvc2l0aW9uIjoyLCJjb21tYW5kQXR0ZW1wdCI6MX1d")

2018-07-22 21:50:24 INFO  [codedeploy-agent(1555)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1518_deb.
^[[1;2C2018-07-22 21:51:24 INFO  [codedeploy-agent(1555)]: [Aws::CodeDeployCommand::Client 200 60.17959 0 retries] poll_host_command(host_identifier:"arn:aws:ec2:us-west-2:508179833524:instance/i-024f133196a6f81c3")
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.