All geek questions in one place

AWS Error: "Access Denied" in CodeDeploy after Jenkins Build

I installed Jenkins on an EC2 instance that starts the build when changes are redirected to the main branch in github. Once the build on jenkins passes, it starts the process for zip the source code and puts it in a specific S3 bucket. Then, the CodeDeploy application, which Jenkins knows in the configuration and starts the deployment, tries to get the ZIP source code from S3, but causes an Access Denied error. It seems that the IAM role does not have the access rights and permissions to download ZIP from S3.

My problem is trying to understand the role of IAM, its relationship with the Jenkins user, and the role of the IAM service? How to configure permissions and who should get these permissions? Please advise and help me understand this.

+5
source share
1 answer

There are usually two scenarios in setting up CodeDeploy ... the part that "creates" the deployment (usually your CI server / build agent) and the CodeDeploy agent that runs on the target instance (s) and performs the actual deployment, First half , in fact, is pressed into CodeDeployment, and the second half is pulling away from it ... what I like to visualize.

For CI server / assembly agents, they must have an IAM role with permissions, as shown below. This allows the build agent to (1) access the S3 bucket that you assigned for deployment, and (2) access the CodeDeploy service to create revisions, etc.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::YourDeploymentBucket" }, { "Effect": "Allow", "Action": [ "codedeploy:*" ], "Resource": "*" } ] }

On target EC2 instances, they should have something like this ... This gives the CodeDeploy agent agent (1) access to the S3 bucket to pull out the revision, and (2) access all the common codes to deploy the code so the agent can update yourself. Of course, these instances must meet all other criteria ... generally, they need the IAM role and they need to install the code deployment agent.

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::YourDeploymentBucket/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*" ] } ] }

How you assign these permissions is up to you ... if your build agents are EC2 instances, it is best to assign them as a policy attached to the IAM role associated with the instance. For the target deployment machines, you would do the same ... create a policy and assign it to the IAM role associated with the instances for which you want to target.

+5
source

Source: https://habr.com/ru/post/1260890/

More articles:


All Articles