Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(codepipeline-actions): BitBucketSourceAction requires s3:PutObjectAcl permissions

See original GitHub issue

Some time between aws-cdk 1.90.0 and 1.91.0, a bunch of s3:PutObject* permissions were changed to s3:PutObject, but that seems to have caused an issue with the codepipeline-actions.BitBucketSourceAction, leading to the error [GitHub] Upload to S3 failed with the following error: Access Denied in the Source action of a pipeline.

We’re using this with GitHub as advised in https://github.com/aws/aws-cdk/issues/10632.

Reproduction Steps

Create a CodePipeline with the BitBucketSourceAction and a codestar-connection to a GitHub repository.

What did you expect to happen?

The source action has the necessary permissions to write to the pipeline artifact bucket.

What actually happened?

The source action failed with the error [GitHub] Upload to S3 failed with the following error: Access Denied

Environment

  • CDK CLI Version : 1.92.0
  • Framework Version: 1.92.0
  • Node.js Version: 14.11.0
  • OS : Mac OS Catalina
  • Language (Version): Python (3.8.5)

Other

We just need to add s3:PutObjectAcl as part of the default role that is generated for a BitBucketSourceAction.

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
panamclippercommented, Apr 1, 2021

@skinny85 Sorry for the late response. That solution worked perfectly! Thank you!

1reaction
skinny85commented, Mar 15, 2021

Yes @panamclipper, something like this:

sourceRole = new iam.Role(this, 'SourceRole', {
  assumedBy: new iam.AccountRootPrincipal(),
});

new codepipeline_actions.BitBucketSourceAction({
  // ...
  role: sourceRole,
});

// add the extra permissions
artifactBucket.grantPutObjectAcl(sourceRole);
Read more comments on GitHub >

github_iconTop Results From Across the Web

Upload to S3 failed with the following error: Access Denied
On a previous pipeline I released with the BitBucketSourceAction the ... the "s3:PutObjectAcl" action which seems to be required to upload ...
Read more >
Amazon S3 source action - AWS CodePipeline
This reference topic describes the Amazon S3 source action for CodePipeline where the source location is an Amazon S3 bucket configured for versioning....
Read more >
Customer managed policy examples - Amazon CodePipeline
In this section, you can find example user policies that grant permissions for various CodePipeline actions. These policies work when you are using...
Read more >
Deploy to Amazon S3 | Docs | Buddy: The DevOps Automation ...
Configure AWS permissionsConfigure Amazon S3 actionWhat you need ... If you use build actions, select Pipeline Filesystem as the Source to ...
Read more >
aws_codepipeline | Resources | hashicorp/aws
name - (Required) The name of the pipeline. role_arn - (Required) A service role Amazon Resource Name (ARN) that grants AWS CodePipeline permission...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(synthetics): getbucketlocation policy is incorrect

Next page

(aws-stepfunctions-tasks): StepFunctionsStartExecution accepts invalid input type