CodeBuild - Build fails due to missing EC2 Permission

Question

I have a codebuild project that pulls code from Github. I am using cloudposse template

When I start the build, I get

VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation

I have found similar problem on SO. But in my case it did not work.

This is my terraform policy:

data "aws_iam_policy_document" "permissions" {
  statement {
    sid = ""

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetAuthorizationToken",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
      "ecs:RunTask",
      "iam:PassRole",
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "ssm:GetParameters",
      "ec2:DescribeSubnets",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeVpcs",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DeleteNetworkInterface",
      "ec2:DetachNetworkInterface",
      "ec2:DescribeDhcpOptions",
      "ec2:CreateNetworkInterface",
      "ec2:ModifySnapshotAttribute",
      "ec2:ModifyVpcEndpointService",
      "ec2:ResetSnapshot"
    ]

    effect = "Allow"

    resources = [
      "*",
    ]
  }

  statement {
    actions = [
      "ec2:CreateNetworkInterfacePermission"
    ]

    effect = "Allow"

    condition {
      test     = "StringEquals"
      variable = "ec2:Subnet"
      values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
    }

    condition {
      test = "StringEquals"
      variable = "ec2:AuthorizedService"
      values = ["codebuild.amazonaws.com"]
    }

    resources = [
      "arn:aws:ec2:*:*:network-interface/*"
    ]
  }
}

And it generates this JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "iam:PassRole",
                "ecs:RunTask",
                "ecr:UploadLayerPart",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:GetAuthorizationToken",
                "ecr:CompleteLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ec2:ResetSnapshot",
                "ec2:ModifyVpcEndpointService",
                "ec2:ModifySnapshotAttribute",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeDhcpOptions",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ec2:CreateNetworkInterfacePermission",
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AuthorizedService": "codebuild.amazonaws.com",
                    "ec2:Subnet": [
                        "arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
                        "arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
                        "arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
                    ]
                }
            }
        }
    ]
}

The only way I can make it to work is to add:

"ec2:*"

I would rather not do that, but fine grain the policy. What policy I need to add to make this work? this is driving me crazy for some time now...

Answer 1

Since you have wildcard in the subnet arn, could you try to change "StringEquals" to "StringLike"? It could be the root cause for this issue. Reference for the difference between "StringEquals" and "StringLike" can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

Thanks! Xin