CDK AWS Pipeline ListBucket permissions error #31517

lehigh123 · 2024-09-21T15:50:38Z

lehigh123
Sep 21, 2024

I am defining a Code Pipeline via CDK following the docs here to deploy a lambda. The final stage deploys a lambda cloudformation stack however I get an S3 permissions error when the deploy stage runs.

The deploy stage is defined as:

        const pipeline = new Pipeline(this, 'PipelineStack', {
            pipelineName: 'LambdaDeploymentPipeline',
            pipelineType: PipelineType.V2
        });
        ...source and build stage run correctly 
        pipeline.addStage({
            stageName: 'Deploy',
            actions: [
                new CloudFormationCreateUpdateStackAction({
                    actionName: 'lambda-application-deployment',
                    stackName: props.lambdaApplicationStack.stackName,
                    templatePath: cdkBuildOutput.atPath('LambdaStack.template.yaml'),
                    adminPermissions: true,
                })
            ],
        })

the error is:

User: arn:aws:sts::975050149793:assumed-role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z/1726918379606 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

however when I check the permissions policy for the created role arn:aws:sts::975050149793:assumed-role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z/1726918379606

in the IAM console I can see it has list bucket permissions on the given bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz",
                "arn:aws:s3:::codepipelinestack-pipelinestackartifactsbucket870a-z0ggjsmh1utz/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:GenerateDataKey*",
                "kms:ReEncrypt*"
            ],
            "Resource": "arn:aws:kms:us-east-1:975050149793:key/cc2ef46c-329f-4e44-b209-89c7cce97cf4",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "arn:aws:ecr:us-east-1:975050149793:repository/hello-world-ecr-repository-from-cdk",
            "Effect": "Allow"
        },
        {
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildcdkcodesynthesi-CBELbize1taP",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildlambdadockerima-022VbTwX3Bwh",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackDeploylambdaapplicat-gF0oLczc8T7Z",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceCDKGitHubSourc-YLxuCRQKhqOD",
                "arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceLambdaGitHubSo-aOOfOJyDHRhJ"
            ],
            "Effect": "Allow"
        }
    ]
}

what updates do I need to make to rectify this error?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CDK AWS Pipeline ListBucket permissions error #31517

{{title}}

Replies: 0 comments

Select a reply

CDK AWS Pipeline ListBucket permissions error #31517

lehigh123 Sep 21, 2024

Replies: 0 comments

lehigh123
Sep 21, 2024