I have an AWS code pipeline where the last step deploys a CDK template. I have an IAM role (arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2) with the following permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"s3:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::code-pipeline-artifact-bucket-v2",
"arn:aws:s3:::code-pipeline-artifact-bucket-v2/*"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:us-east-1:975050149793:repository/hello-world-ecr-repository-from-cdk",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildcdkcodesynthesi-vFR745UypNHH",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackBuildlambdadockerima-bwgUOKwVvSkx",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceCDKGitHubSourc-2ucigcXrrb9y",
"arn:aws:iam::975050149793:role/CodePipelineStack-PipelineStackSourceLambdaGitHubSo-wCf42p9m8VdL",
"arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2"
],
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::975050149793:role/CodePipelineBuildAndDeployRoleV2",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStack*",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate*",
"cloudformation:SetStackPolicy",
"cloudformation:UpdateStack",
"cloudformation:ValidateTemplate"
],
"Resource": "arn:aws:cloudformation:us-east-1:975050149793:stack/LambdaStackDeployedName/*",
"Effect": "Allow"
}
]
}
and the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com",
"s3.amazonaws.com",
"codebuild.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
but the deployment keeps failing with the following error:
User: arn:aws:sts::975050149793:assumed-role/CodePipelineBuildAndDeployRoleV2/1727290405840 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::code-pipeline-artifact-bucket-v2" because no session policy allows the s3:ListBucket action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: QDFVFYCJQ08K3AGJ; S3 Extended Request ID: sDxvgKj+HGpAMXO2Y7SAkBysTM0490KbWkHFjNX9ozwp6JoMSjEguvwh/3I97i2LA4oYD1W4Nj4=; Proxy: null)
I can see the IAM policy has the necessary permissions however it still keeps failing with the same error.
Ensure that the trust relationship for CodePipelineBuildAndDeployRoleV2 correctly allows the service to assume it. The trust policy should include sts:AssumeRole permissions for the service principal associated with your CodePipeline.
1