I have this error when codepipline trying to fetch source from codecommit
<code>The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named defon-liff. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::665852216333:assumed-role/df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:ap-northeast-1:665852216828:defon-liff because no identity-based policy allows the codecommit:GetBranch action
</code>
<code>The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named defon-liff. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::665852216333:assumed-role/df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:ap-northeast-1:665852216828:defon-liff because no identity-based policy allows the codecommit:GetBranch action
</code>
The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named defon-liff. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::665852216333:assumed-role/df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:ap-northeast-1:665852216828:defon-liff because no identity-based policy allows the codecommit:GetBranch action
I think this is because
df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E cannot access to the CodeCommit
So, I investigate df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E, thishas policy named adminPipelineRoleDefaultPolicyC79967BE
Then it has two assumed role.
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::si2-s3d-91",
"arn:aws:s3:::si2-s3d-91/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:ap-northeast-1:665852216333:key/bf3cf318-1376-44de-a014-18107XXXXXX",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionbuilddfstaga-8NGM8PIRUGQ3",
"Effect": "Allow"
}
]
}
</code>
<code>{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::si2-s3d-91",
"arn:aws:s3:::si2-s3d-91/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:ap-northeast-1:665852216333:key/bf3cf318-1376-44de-a014-18107XXXXXX",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionbuilddfstaga-8NGM8PIRUGQ3",
"Effect": "Allow"
}
]
}
</code>
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::si2-s3d-91",
"arn:aws:s3:::si2-s3d-91/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:ap-northeast-1:665852216333:key/bf3cf318-1376-44de-a014-18107XXXXXX",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionbuilddfstaga-8NGM8PIRUGQ3",
"Effect": "Allow"
}
]
}
So, I checked df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2
This has policy adminPipelinedfstagadmionsourcedfstagadminsourceCodePipelineActionRoleDefaultPolicy32499DC6
then,it has
<code> {
"Action": [
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": "arn:aws:codecommit:ap-northeast-1:665852216333:defon-*",
"Effect": "Allow"
}
</code>
<code> {
"Action": [
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": "arn:aws:codecommit:ap-northeast-1:665852216333:defon-*",
"Effect": "Allow"
}
</code>
{
"Action": [
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": "arn:aws:codecommit:ap-northeast-1:665852216333:defon-*",
"Effect": "Allow"
}
it looks like it has the access to the codecommit defon-*
However error still happens
How can I fix this?
and I wonder in error message df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052
What the 1720168399052?