0

So, I'm pretty new to AWS, and have a simple pipeline built with AWS CodeStar. Source -> Application -> Beta. I'm trying to deploy to a beta site, and I get this failure.

I tried following the instrucitons on http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html, but ran into the issue where: Step 3 says “Choose the AWS Service role type, and then choose the service that you want to allow to assume this role. But this isn’t what I see. I don’t see the ability to choose CodePipeline, which I'm assuming is the service that needs access to the Elastic Beanstalk.

I thought I might have misunderstood the service they were talking about and tried the other way, of selecting Elastic Beanstalk, but that diverged from the instructions as well.

I tried this page: http://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy, but cannot figure out how they created the default AWS CodePipeline Service Role Policy

*************** Update ********************

Here is a screenshot of the whole pipeline

Here is the AWSCodeStarServiceRole policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "ProjectEventRules",
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:RemoveTargets",
            "events:PutRule",
            "events:DeleteRule",
            "events:DescribeRule"
        ],
        "Resource": [
            "arn:aws:events:*:*:rule/awscodestar-*"
        ]
    },
    {
        "Sid": "ProjectStack",
        "Effect": "Allow",
        "Action": [
            "cloudformation:*Stack*",
            "cloudformation:CreateChangeSet",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:DeleteChangeSet",
            "cloudformation:GetTemplate"
        ],
        "Resource": [
            "arn:aws:cloudformation:*:*:stack/awscodestar-*",
            "arn:aws:cloudformation:*:*:stack/awseb-*",
            "arn:aws:cloudformation:*:*:stack/aws-cloud9-*",
            "arn:aws:cloudformation:*:aws:transform/CodeStar*"
        ]
    },
    {
        "Sid": "ProjectStackTemplate",
        "Effect": "Allow",
        "Action": [
            "cloudformation:GetTemplateSummary",
            "cloudformation:DescribeChangeSet"
        ],
        "Resource": "*"
    },
    {
        "Sid": "ProjectQuickstarts",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::awscodestar-*/*"
        ]
    },
    {
        "Sid": "ProjectS3Buckets",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::aws-codestar-*",
            "arn:aws:s3:::aws-codestar-*/*",
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
        ]
    },
    {
        "Sid": "ProjectServices",
        "Effect": "Allow",
        "Action": [
            "codestar:*Project",
            "codestar:*Resource*",
            "codestar:List*",
            "codestar:Describe*",
            "codestar:Get*",
            "codestar:AssociateTeamMember",
            "codecommit:*",
            "codepipeline:*",
            "codedeploy:*",
            "codebuild:*",
            "ec2:RunInstances",
            "autoscaling:*",
            "cloudwatch:Put*",
            "ec2:*",
            "elasticbeanstalk:*",
            "elasticloadbalancing:*",
            "iam:ListRoles",
            "logs:*",
            "sns:*",
            "cloud9:CreateEnvironmentEC2",
            "cloud9:DeleteEnvironment",
            "cloud9:DescribeEnvironment*",
            "cloud9:ListEnvironments"
        ],
        "Resource": "*"
    },
    {
        "Sid": "ProjectWorkerRoles",
        "Effect": "Allow",
        "Action": [
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iam:SetDefaultPolicyVersion",
            "iam:CreatePolicy",
            "iam:DeletePolicy",
            "iam:AddRoleToInstanceProfile",
            "iam:CreateInstanceProfile",
            "iam:DeleteInstanceProfile",
            "iam:RemoveRoleFromInstanceProfile"
        ],
        "Resource": [
            "arn:aws:iam::*:role/CodeStarWorker*",
            "arn:aws:iam::*:policy/CodeStarWorker*",
            "arn:aws:iam::*:instance-profile/awscodestar-*"
        ]
    },
    {
        "Sid": "ProjectTeamMembers",
        "Effect": "Allow",
        "Action": [
            "iam:AttachUserPolicy",
            "iam:DetachUserPolicy"
        ],
        "Resource": "*",
        "Condition": {
            "ArnEquals": {
                "iam:PolicyArn": [
                    "arn:aws:iam::*:policy/CodeStar_*"
                ]
            }
        }
    },
    {
        "Sid": "ProjectRoles",
        "Effect": "Allow",
        "Action": [
            "iam:CreatePolicy",
            "iam:DeletePolicy",
            "iam:CreatePolicyVersion",
            "iam:DeletePolicyVersion",
            "iam:ListEntitiesForPolicy",
            "iam:ListPolicyVersions"
        ],
        "Resource": [
            "arn:aws:iam::*:policy/CodeStar_*"
        ]
    },
    {
        "Sid": "InspectServiceRole",
        "Effect": "Allow",
        "Action": [
            "iam:ListAttachedRolePolicies"
        ],
        "Resource": [
            "arn:aws:iam::*:role/aws-codestar-service-role",
            "arn:aws:iam::*:role/service-role/aws-codestar-service-role"
        ]
    },
    {
        "Sid": "IAMLinkRole",
        "Effect": "Allow",
        "Action": [
            "iam:CreateServiceLinkedRole"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "iam:AWSServiceName": "cloud9.amazonaws.com"
            }
        }
    }
]

}

Also, I cannot update the permissions on the role, because it says it is an Amazon created role and is read-only.

I'm guessing it is something simple that I'm missing, and well. I'm missing it!

Thanks in advance!

Phaedrus
  • 51
  • 1
  • 11

2 Answers2

1

After trying many ways to adjust settings and permissions. I tried creating a duplicate pipeline, and everything worked on the new pipeline but not the old one.

So, to solve the problem, I deleted the pipeline that was saved in CodeStar and created a new pipeline that was the same. I then removed the Continuous Deployment tile in CodeStar and then added a new Continuous deployment tile, selecting the new pipeline I created.

This solved the problem and the pipeline works.

Phaedrus
  • 51
  • 1
  • 11
0

When you first go to the AWS CodeStar console, you are prompted to create a service role. You should have selected yes. This creates a role named "AWSCodeStarServiceRole".

This role has the permissions that you need.

This link will walk you thru setting up AWS CodeStar:

Setting Up AWS CodeStar

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks John, that is helpful. I do have that role setup, but am still receiving the error. I updated the question to show the pipeline. In short, I have 3 EB environments I'm trying to deploy the code to, they are all clones of the first one, with different subdomains. The first one works (no sub domains). The second one fails with the above error. – Phaedrus Dec 14 '17 at 15:58
  • Update your question by adding your new information with a header such as ****** UPDATE ***** at the bottom so that we know what you changed. – John Hanley Dec 14 '17 at 16:00
  • Please add your policy that you are using. Next show in your configuration where you are using that policy. Otherwise I just have to guess. – John Hanley Dec 14 '17 at 16:01
  • I tried removing the stage in the pipeline, but the next stage failed with the same error: provided role does not have the elasticbeanstalk:UpdateEnvironment permission – Phaedrus Dec 14 '17 at 16:04
  • Modify the role and add the permission. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html – John Hanley Dec 14 '17 at 16:06
  • I apologize, I'm not sure what to show you with regards to "your configuration where you are using that policy" Do you mean something within CodeStar/CodePipeline or ElasticBeanstalk? Sorry, I'm just getting started here and stumbling a bit! – Phaedrus Dec 14 '17 at 16:15
  • I tried modifying role, but it says it is an Amazon created role, and read only. – Phaedrus Dec 14 '17 at 16:23
  • There are so many good videos on YouTube on AWS services. I recommend watching one or two. You need to have a basic understanding of how to configure everything and be able to adjust your settings when you have a problem. I realize that you are just getting started but there is no substitute for this. – John Hanley Dec 14 '17 at 16:24
  • Yeah, you are right. Thanks. I've been doing that, and gotten to where I am, This process is working in a different pipeline, just not this one, that's why I'm perplexed. Thanks for your time. – Phaedrus Dec 14 '17 at 16:35
  • For your IAM user, which CodeStar policy did you assign? For example you can assign AWSCodeStarFullAccess to your user. Review this link for more details: http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html – John Hanley Dec 14 '17 at 17:29
  • Hi John, yes, I'm using AWS CodePipelineFullAccess for my IAM user – Phaedrus Dec 15 '17 at 19:20
  • So, I deleted the pipeline, and created a new one with exactly the same features and it worked. Hooked the new pipeline into AWS CodeStar and it worked. Annoying that there wasn't an easy setting, Maybe there was something subtle in configuration that caused the problem. – Phaedrus Dec 15 '17 at 20:14