Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(codepipeline): AccessDeniedException when calling the PutJobSuccessResult

See original GitHub issue

This is likely to be a guidance question, but I’m not sure I’m not hitting some CodePipeline limitation. I have a scenario like this:

  1. I have a devops central IAM account that I have the pipelines
  2. in that pipeline I am invoking a lambda, that uses a PipelineRole on a cross-IAM another target IAM account
  3. that Lambda executes some operations (e.g. CloudFront)

Those three things work fine, but… the Lambda must return a result to the initial IAM account to the CodePipeline and that is what doesn’t work for me. I tried assigning even full permissions for codepipeline:* for * resources on both sides, but I am still getting the error:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutJobSuccessResult operation: User: arn:aws:sts::1234:assumed-role/PipelineRole/1624294113598 is not authorized to perform: codepipeline:PutJobSuccessResult

In the Python Lambda, I am executing the CloudFront operations with the assumed role passed from the CodePipeline role: parameter in a standard way:

cloudfront_client = boto3.client('cloudfront')

Then, for returning the result, I use Session token like this:

    key_id = job_data['artifactCredentials']['accessKeyId']
    key_secret = job_data['artifactCredentials']['secretAccessKey']
    session_token = job_data['artifactCredentials']['sessionToken']

    session = Session(aws_access_key_id=key_id,
    return session.client('codepipeline', config=botocore.client.Config(signature_version='s3v4'))

Am I missing something or maybe the artifactCredentials do not allow it? If that’s the case, how can I pass the result of Lambda from the target account to the original account? Thanks a lot in advance for support, I already spent 2 days trying to figure this out and I’m banging the wall it seems…

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:12 (5 by maintainers)

github_iconTop GitHub Comments

rantoniukcommented, Jun 24, 2021

Case reported: 8502989041.

skinny85commented, Jun 22, 2021

Quick question yet though: For the CloudFront origin, I need to have the bucket domain name as returned by CloudFront[‘DomainName’], so in format: <bucketname> However, the methods from Bucket all seem to return some incompatible naming, like: <bucketname>

I obviously am constructing the string manually right now:

bucketName + '.s3.' + codepipeline_client.meta.region_name + ''

but it seems to me there should be a method that returns CloudFront compatible naming?

I believe your are looking for the bucketRegionalDomainName property.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Permission denied when calling AWS Lambda function from ...
Found the answer. The problem did not come from permission, but rather from the absence of call to PutJobSuccessResult : The pipeline did ......
Read more >
CodePipeline permissions reference - AWS Documentation
Describes the CodePipeline API operations and the corresponding actions you grant permissions to perform.
Read more >
codepipeline.putJobSuccessResult() Hanging when Invoking ...
putJobSuccessResult () hangs and the Lambda times out. Any code that comes before the call runs fine, but it just won't run codepipeline....
Read more >
AWS Lambda `AccessDeniedException` when calling ... - Reddit
Hi all. I'm trying to trigger CodeBuild project from Lambda. I've attached AWSCodeBuildDeveloperAccess and CloudWatchFullAccess policies to ...
Read more >
【AWS】CodePipelineから呼び出したLambdaがずっと ... - Qiita
S3へのデプロイ完了後にCloudFrontのキャッシュを消すLambdaを呼びたいなーと思ったときに躓いたのでまとめ。 原因. codepipeline:PutJobSuccessResult(※) ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found