AWS CodeBuild script fails s3 sync with AccessDenied

amazon-web-services amazon-s3

Adding the following to the CodeBuild generated role worked for me:

{
    "Effect": "Allow",
    "Resource": [
        "arn:aws:s3:::mytestbucket",
        "arn:aws:s3:::mytestbucket/*"
    ],
    "Action": [
        "s3:PutObject",
        "s3:Get*",
        "s3:List*"
    ]
}

I had this same error and tried everything in this thread. I was trying to do

aws s3 sync ./build s3://s3-us-east-1.amazonaws.com/some-amazing-s3-bucket

from a Codebuild action, but the S3 response was always

fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

even when I did it from the aws-cli on my laptop (with admin access keys).

It took me several hours to realize that the actual s3 url is supposed to be written like this:

s3://some-amazing-s3-bucket

instead of

s3://s3-us-east-1.amazonaws.com/some-amazing-s3-bucket

That being said, a policy like tedsmitt's has to be attached to the (in my case) codebuild role too.

Hope this helps someone.

Related

quote only if variable is non-empty
Zabbix: What is the difference between `HostMetadata` and `HostMetadataItem`?
Can I overwrite, what `diff` means for a task?
Explicitly empty groups in Ansible
Postfix: Verify all outgoing TLS connections are being established properly
Feeding Multiline STDIN Input to Command
ssh restrictions for user authentication
Is there an Internet Organization to file complaints to about ISP DNS Hijacking?
Internal Network CA: "Invalid Common Name" or Invalid Cert on everything (except Internet Explorer and Windows' Certificates mmc snapin)
Do I really need WSUS and if I disable WSUS will the workstation automatically pickup windows updates?
Problems with Azure AD connect custom install
Ubiquity Unifi wont accept login after migration