'AWS Codepipeline: Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application
I am using Beanstalk and Codepipeline.
It works fine until build, but
Deployment failed. The provided role does not have sufficient permissions: Failed to deploy application. Service:AWSLogs, Message:User: arn:aws:sts:::assumed-role/pipeline-role/ is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-northeast-2::log-group:/aws/elasticbeanstalk/repo-env/var/log/nginx/error.log:log-stream:
occurs in Beanstalk deployment.
Am I needing permission for the log group?
My Codepipeline Role is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"opsworks:DescribeStacks",
"devicefarm:GetRun",
"rds:*",
"cloudformation:CreateChangeSet",
"autoscaling:*",
"codebuild:BatchGetBuilds",
"devicefarm:ScheduleRun",
"servicecatalog:ListProvisioningArtifacts",
"devicefarm:ListDevicePools",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProvisioningArtifact",
"cloudformation:DescribeChangeSet",
"devicefarm:ListProjects",
"cloudformation:ExecuteChangeSet",
"sns:*",
"lambda:ListFunctions",
"lambda:InvokeFunction",
"codedeploy:RegisterApplicationRevision",
"devicefarm:CreateUpload",
"cloudformation:*",
"opsworks:DescribeDeployments",
"cloudformation:DescribeStacks",
"codecommit:GetUploadArchiveStatus",
"cloudwatch:*",
"cloudformation:DeleteStack",
"opsworks:DescribeInstances",
"ecs:*",
"ecr:DescribeImages",
"ec2:*",
"codebuild:StartBuild",
"cloudformation:ValidateTemplate",
"opsworks:DescribeApps",
"opsworks:UpdateStack",
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeploymentConfig",
"servicecatalog:CreateProvisioningArtifact",
"sqs:*",
"cloudformation:DeleteChangeSet",
"codecommit:GetCommit",
"servicecatalog:DeleteProvisioningArtifact",
"codedeploy:GetApplication",
"cloudformation:SetStackPolicy",
"codecommit:UploadArchive",
"s3:*",
"elasticloadbalancing:*",
"codecommit:CancelUploadArchive",
"devicefarm:GetUpload",
"elasticbeanstalk:*",
"opsworks:UpdateApp",
"opsworks:CreateDeployment",
"cloudformation:CreateStack",
"servicecatalog:UpdateProduct",
"codecommit:GetBranch",
"codedeploy:GetDeployment",
"opsworks:DescribeCommands"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "codestar-connections:UseConnection",
"Resource": "*"
}
]
}
amazon-web-servicesSolution 1:[1]
To resolve the issue - Add "logs:*" in the Actions array of the first block. As this gives permission form EBS to Cloudwatch logs.
Recommendation - I would recommend not adding "*" rather giving minimal permissions based on your requirement. For this case - adding "logs:CreateLogGroup" in the Actions array of the first block
Solution 2:[2]
I solved it by adding "CloudWatchLogsFullAccess" in the IAM user permissions policies, directly from the IAM GUI.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Ritesh Kumar Reddy Kuchukulla |
| Solution 2 | Rexcirus |