0

In CodeBuild, I have 2 projects. One is for a staging site, and another one is for a production site. When I compile my site, and run it through the staging project, it works fine. It sync's successfully to my s3 bucket for the staging site. However, when tried to compile it and run it through the production project, when running the sync command, it returns an error :

fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

[Container] 2018/09/11 08:40:33 Command did not exit successfully aws s3 sync public/ s3://$S3_BUCKET exit status 1

I did some digging around, and I think the problem is with my bucket policy. I am using CloudFront as a CDN on top of my S3 bucket. I don't want to modify the bucket policy of the production bucket right until I'm absolutely sure that I must. I'm worried it might have some affect on the live site. Here is my bucket policy for the production bucket: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket_name]/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity [access_code]"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket_name]/*"
        }
    ]
}
kenlukas
  • 3,616
  • 9
  • 25
  • 36
m5kev4n
  • 541
  • 1
  • 8
  • 20
  • What IAM Role and Policy does CodeBuild use? It may prevent it from saving files into the Prod bucket. Also is the prod S3 bucket in the same account as the CodeBuild? If not you'll need cross-account access set up. – MLu Sep 12 '18 at 04:42

1 Answers1

5

As per the error description, the list permission is missing.

Add the below permission at your bucket policy:

  "Action": [
          "s3:Get*",
          "s3:List*"
]

This should solve your issue. Also check the IAM service role created on codebuild to access S3 buckets. The S3 bucket policy and IAM role both control the access to the S3 bucket in this kind of setup.

Your service role should have list permission for S3.

 {
  "Sid": "S3ObjectPolicy",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:List*"
  ],
  "Resource": ["arn:aws:s3:::my_bucket",
             "arn:aws:s3:::my_bucket/*"]
 }
Sangam Belose
  • 4,262
  • 8
  • 26
  • 48