11

I have created a code build project from code pipeline wizard with all the necessary required options and valid IAM role. I have added IAM role policy as well which is required for accessing and writing the data inside S3 bucket. below mentioned policy I have already considered for accessing S3.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:logs:aws/codebuild",
            "arn:aws:logs:aws/codebuild:*"
        ],
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ]
    },
    {
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::pipeline”,
            "arn:aws:s3::: pipeline/*"
        ],
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
        ]
    }
]

}

Once I initiated a pipeline, code build is getting failed and I am getting below mentioned error

DOWNLOAD_SOURCE Failed: 
CLIENT_ERROR: symlink /codebuild/output/.../libcrypto.1.0.0.dylib: no such file or directory for primary source and source version arn:aws:s3:::codepipeline-bucketSource/Ap4g3sv.zip

I have researched a lot, have been through the various AWS documents but could not find the solution.

Vee Mandke
  • 578
  • 1
  • 11
  • 28
  • 1
    Can you try creating the build from code build console and then use that build from the code pipeline console? And one more thing, are you trying to use S3 as the source for the build? – Deependra Dangal May 21 '19 at 11:39
  • No, I am not using s3 as a source. In my case source is a pipeline only – Vee Mandke May 21 '19 at 12:15
  • I tried creating a separate build project from code build console for pipeline use, but getting the same error – Vee Mandke May 22 '19 at 06:26

2 Answers2

7

Finally after a lot of research I found out that it was a permission issue only. I had to change the policy as mentioned below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

After adding this modification my code build and pipeline started working.

Vee Mandke
  • 578
  • 1
  • 11
  • 28
3

Looks like your policy only provides access to 'pipeline' bucket, but not to 'codepipeline-bucketSource'. Could you try giving S3 full access to the role at-least for time being so that we can debug whether this is actually an access related issue.

Nimin Unnikrishnan
  • 353
  • 2
  • 9