AWS CLI Error using AWS CodeBuild

I’ve created a CI/CD implementation of building my Angular 4 applications on AWS S3.  Here’s one of my YAML configuration:

version: 0.2

env:
    variables:
        S3_BUCKET: "s3-bucket-name"
        BUILD_ENV: "prod"
        CLOUDFRONT_ID: "EXX11223344"
            
phases:
    install:
        commands:
        - echo Installing source NPM dependencies...
        # Need https driver.
        - sudo apt-get update -y
        - sudo apt-get install -y apt-transport-https
        # Install Yarn.
        - curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
        - echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
        - sudo apt-get update -y
        - sudo apt-get install -y yarn
        # Install Angular CLI
        - yarn global add @angular/[email protected]
        # Install node dependancies.
        - yarn
    build:
        commands:
        # Builds Angular application.
        - echo Build started on `date`
        - ng build --${BUILD_ENV}
    post_build:
        commands:
        # Clear S3 bucket.
        - aws s3 rm s3://${S3_BUCKET} --recursive
        - echo S3 bucket is cleared.
        # Copy dist folder to S3 bucket
        - aws s3 cp dist s3://${S3_BUCKET} --recursive
        # STEP: Clear CloudFront cache.
        - aws configure set preview.cloudfront true
        - aws cloudfront create-invalidation --distribution-id ${CLOUDFRONT_ID} --paths "/*"
        - echo Build completed on `date`
artifacts:
    files:
        - '**/*'
    discard-paths: yes
    base-directory: 'dist*'

Problem

I’m getting build errors at the “post_build” phase: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

So this appears to be a permission issue which was not taken care of at the AWS policy level.  My old AWS policy for this CodeBuild project:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1506491253000",
            "Effect": "Allow",
            "Action": [
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1506491270000",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListObjects",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-name"
            ]
        }
    ]
}

After several troubleshooting steps, and a run to Jack in The Box, I believe I was missing adding additional resources.

Solution

Thinking about the error more and more that I realized I also needed to add the additional resource entry for all files/folders (not just the bucket).  Here’s the solution on the AWS Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1506491253000",
            "Effect": "Allow",
            "Action": [
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1506491270000",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListObjects",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket-name",
                "arn:aws:s3:::s3-bucket-name/*"
            ]
        }
    ]
}

All I did was add the “/*” equivalent to tell AWS that I also want the contents to have those permissions.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: