amazon web services - CodeBuild unable to create Logs -


i have following role codebuild service, generated via cloudformation

  codebuildrole:     type: aws::iam::role     properties:       rolename: !sub '${pipelinename}-codebuild'       assumerolepolicydocument:         version: '2012-10-17'         statement:           effect: allow           principal:             service: codebuild.amazonaws.com           action: sts:assumerole       policies:         - policyname: !sub '${pipelinename}-codebuild'           policydocument:             version: '2012-10-17'             statement:               - effect: allow                 resource:                 - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}'                 - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}/*'                 action:                 - 'logs:createloggroup'                 - 'logs:createlogstream'                 - 'logs:putlogevents'               - effect: allow                 resource:                   - !sub 'arn:aws:s3:::codepipeline-${aws::region}-*/*'                 action:                   - 's3:getobject'                   - 's3:getobjectversion'                   - 's3:putobject'               - effect: allow                 resource:                   - !getatt [pipelineartifactstore, arn]                 action:                   - 's3:putobject'

whats wrong 

- !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}' - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}/*'

why can't codebuild write logs?

service role arn:aws:iam::598xxx:role/skynet-codebuild not allow aws codebuild create amazon cloudwatch logs log streams build arn:aws:codebuild:ap-southeast-1:598xxx:build/skynet-lambda:544xxx-aa88945844fa. error message: user: arn:aws:sts::598xxx:assumed-role/skynet-codebuild/awscodebuild-544xxx-aa88945844fa not authorized perform: logs:createlogstream on resource: arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:544xxx-aa88945844fa. service role arn:aws:iam::598xxx:role/skynet-codebuild not allow aws codebuild create amazon cloudwatch logs log streams build arn:aws:codebuild:ap-southeast-1:598xxx:build/skynet-lambda:544xxx-aa88945844fa. error message: user: arn:aws:sts::598xxx:assumed-role/skynet-codebuild/awscodebuild-544xxx-aa88945844fa not authorized perform: logs:createlogstream on resource: arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:544xxx-aa88945844fa

update: full cloudformation template reference

awstemplateformatversion : '2010-09-09' description: 'skynet stack codepipeline'  parameters:   pipelinename:     type: string     description: pipeline name (lower case only, since s3 bucket names can have lowercase)     default: skynet   githubowner:     type: string     description: github owner/username   githubrepo:     type: string     description: github repo     default: '2359media/skynet'   githubbranch:     type: string     description: github branch     default: master   githubtoken:     type: string     description: github token     noecho: true  resources:   pipeline:     type: aws::codepipeline::pipeline     properties:       name: !ref pipelinename       rolearn: !getatt [pipelinerole, arn]       artifactstore:         location: !ref pipelineartifactstore         type: s3       disableinboundstagetransitions: []       stages:         - name: githubsource           actions:           - name: source             actiontypeid:               category: source               owner: thirdparty               version: 1               provider: github             configuration:               owner: !ref githubowner               repo: !ref githubrepo               branch: !ref githubbranch               oauthtoken: !ref githubtoken             outputartifacts:               - name: sourcecode         - name: build           actions:           - name: lambda             inputartifacts:               - name: sourcecode             outputartifacts:               - name: lambdapackage             actiontypeid:               category: build               owner: aws               version: 1               provider: codebuild             configuration:               projectname: !ref codebuildlambda         - name: deploy           actions:           - name: lambda             inputartifacts:               - name: lambdapackage             outputartifacts:               - name: lambdadeployment             actiontypeid:               category: deploy               owner: aws               version: 1               provider: cloudformation             configuration:               actionmode: change_set_replace               rolearn: !getatt [cloudformationrole, arn]               stackname: !ref aws::stackname               templatepath: 'template::lambda/sam.yml'    codebuildlambda:     type: aws::codebuild::project     properties:       name: !sub '${pipelinename}-lambda'       artifacts:         type: codepipeline       environment:         computetype: build_general1_small         image: aws/codebuild/nodejs:7.0.0         type: linux_container         environmentvariables:           - name: s3_bucket             value: !ref pipelineartifactstore       servicerole: !ref codebuildrole       source:         buildspec: 'lambda/buildspec.yml'         type: codepipeline    pipelineartifactstore:     type: aws::s3::bucket     properties:       bucketname: !sub '${pipelinename}-pipeline-artifacts'       versioningconfiguration:         status: enabled    codebuildrole:     type: aws::iam::role     properties:       rolename: !sub '${pipelinename}-codebuild'       assumerolepolicydocument:         version: '2012-10-17'         statement:           effect: allow           principal:             service: codebuild.amazonaws.com           action: sts:assumerole       policies:         - policyname: !sub '${pipelinename}-codebuild'           policydocument:             version: '2012-10-17'             statement:               - effect: allow                 resource:                 - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:*'                 action:                 - 'logs:createloggroup'                 - 'logs:createlogstream'                 - 'logs:putlogevents'               - effect: allow                 resource:                   - !sub 'arn:aws:s3:::codepipeline-${aws::region}-*/*'                   - !sub                     - '${pipelineartifactstorearn}/*'                     - {pipelineartifactstorearn: !getatt [pipelineartifactstore, arn]}                 action:                   - 's3:getobject'                   - 's3:getobjectversion'                   - 's3:putobject'    cloudformationrole:     type: aws::iam::role     properties:       rolename: !sub '${pipelinename}-cloudformation'       assumerolepolicydocument:         version: '2012-10-17'         statement:         - effect: allow           principal:             service: cloudformation.amazonaws.com           action:           - sts:assumerole       path: /       managedpolicyarns:         - 'arn:aws:iam::aws:policy/awslambdaexecute'       policies:         - policyname: !sub '${pipelinename}-cloudformation'           policydocument:             version: '2012-10-17'             statement:               - effect: allow                 resource: '*'                 action:                 - 's3:getobject'                 - 's3:getobjectversion'                 - 's3:getbucketversioning'               - effect: allow                 resource: 'arn:aws:s3:::codepipeline*'                 action:                 - 's3:putobject'               - effect: allow                 resource: !sub 'arn:aws:lambda:${aws::region}:${aws::accountid}:function:*'                 action:                 - 'lambda:*'               - effect: allow                 resource: !sub 'arn:aws:apigateway:${aws::region}::*'                 action:                 - 'apigateway:*'               - effect: allow                 resource: !sub 'arn:aws:iam::${aws::region}:role/*'                 action:                 - 'iam:getrole'                 - 'iam:createrole'                 - 'iam:deleterole'                 - 'iam:attachrolepolicy'                 - 'iam:detachrolepolicy'               - effect: allow                 resource: '*'                 action:                 - 'iam:passrole'               - effect: allow                 resource: !sub 'arn:aws:cloudformation:${aws::region}:aws:transform/serverless-2016-10-31'                 action:                 - 'cloudformation:createchangeset'    pipelinerole:     type: aws::iam::role     properties:       rolename: !sub '${pipelinename}-pipeline'       assumerolepolicydocument:         version: '2012-10-17'         statement:         - action: ['sts:assumerole']           effect: allow           principal:             service: [codepipeline.amazonaws.com]       path: /       policies:         - policyname: skynetpipeline           policydocument:             version: '2012-10-17'             statement:               - action:                 - 's3:getobject'                 - 's3:getobjectversion'                 - 's3:getbucketversioning'                 effect: 'allow'                 resource: '*'               - action:                 - 's3:putobject'                 effect: 'allow'                 resource:                 - !getatt [pipelineartifactstore, arn]               - action:                 - 'codecommit:canceluploadarchive'                 - 'codecommit:getbranch'                 - 'codecommit:getcommit'                 - 'codecommit:getuploadarchivestatus'                 - 'codecommit:uploadarchive'                 effect: 'allow'                 resource: '*'               - action:                 - 'codedeploy:createdeployment'                 - 'codedeploy:getapplicationrevision'                 - 'codedeploy:getdeployment'                 - 'codedeploy:getdeploymentconfig'                 - 'codedeploy:registerapplicationrevision'                 effect: 'allow'                 resource: '*'               - action:                 - 'elasticbeanstalk:*'                 - 'ec2:*'                 - 'elasticloadbalancing:*'                 - 'autoscaling:*'                 - 'cloudwatch:*'                 - 's3:*'                 - 'sns:*'                 - 'cloudformation:*'                 - 'rds:*'                 - 'sqs:*'                 - 'ecs:*'                 - 'iam:passrole'                 effect: 'allow'                 resource: '*'               - action:                 - 'lambda:invokefunction'                 - 'lambda:listfunctions'                 effect: 'allow'                 resource: '*'               - action:                 - 'opsworks:createdeployment'                 - 'opsworks:describeap

ps' - 'opsworks:describecommands' - 'opsworks:describedeployments' - 'opsworks:describeinstances' - 'opsworks:describestacks' - 'opsworks:updateapp' - 'opsworks:updatestack' effect: 'allow' resource: '' - action: - 'cloudformation:createstack' - 'cloudformation:deletestack' - 'cloudformation:describestacks' - 'cloudformation:updatestack' - 'cloudformation:createchangeset' - 'cloudformation:deletechangeset' - 'cloudformation:describechangeset' - 'cloudformation:executechangeset' - 'cloudformation:setstackpolicy' - 'cloudformation:validatetemplate' - 'iam:passrole' effect: 'allow' resource: '' - action: - 'codebuild:batchgetbuilds' - 'codebuild:startbuild' effect: 'allow' resource: '*'

it appears there might slight difference between value you're giving role, , value it's expecting.

it appears you're creating role name based on ${pipelinename}-codebuild, seems resolve skynet-codebuild, based on this, pipelinename skynet. in policy, you're giving access logs:createloggroup resource arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}. can gleen error should arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet:log-stream:..., in reality arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:...

is possible codebuild project called ${pipelinename}-lambda? 1 way might able around more use statement in policy like:

- effect: allow   resource:   - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}-*'   - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}-*/*'   action:   - 'logs:createloggroup'   - 'logs:createlogstream'

which should allow codebuild create loggroups , logstreams codebuild starts name of pipelinename-.

update: full cloudformation template. expected, codebuild project named ${pipelinename}-lambda, why policy doesn't match up. if want authorize creating logs project, want replace statement following:

- effect: allow   resource:   - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}-lambda'   - !sub 'arn:aws:logs:${aws::region}:${aws::accountid}:log-group:/aws/codebuild/${pipelinename}-lambda/*'   action:   - 'logs:createloggroup'   - 'logs:createlogstream'

Comments

Post a Comment

Popular posts from this blog

Sort a complex associative array in PHP -

this question has answer here: php sort array subarray value 5 answers i have associative array in php like: $newarray1 = array ( [producta] => array ( [link] => http://sanjosespartan.com/blog/products/agile-java-development/ [visitcount] => 4 ) [productd] => array ( [link] => http://sanjosespartan.com/blog/products/intro-to-go/ [visitcount] => 1 ) [productg] => array ( [link] => http://sanjosespartan.com/blog/products/node-js-for-developers/ [visitcount] => 1 ) [productb] => array ( [link] => http://sanjosespartan.com/blog/products/beginning-mysql/ [visitcount] => 1 ) [productc] => array ( [link] => http://sanjosespartan.com/blog/products/computer-networks/ [visitcount] => 1 ) ...
Read more

vb.net - How to ignore if a cell is empty nothing -

how use roscolor() ignore value (like empty cell) ? color row if value upper 5 when there nothing in cell, want ignore roscolor() apply, how? public sub roscolor() integer = 0 quotedatagridview1.rows.count() - 1 step +1 dim val integer val = quotedatagridview1.rows(i).cells(3).value if val = vbempty quotedatagridview1.rows(i).defaultcellstyle.backcolor = color.white elseif val < 5 quotedatagridview1.rows(i).defaultcellstyle.backcolor = color.red elseif val > 5 , val < 10 quotedatagridview1.rows(i).defaultcellstyle.backcolor = color.lightyellow end if next end sub you can check empty value following public sub roscolor() integer = 0 quotedatagridview1.rows.count() - 1 step +1 dim val = quotedatagridview1.rows(i).cells(3).value if isdbnull(val) or val nothing quotedatagridview1.rows(i).defaultcellstyle.backcolor = color.white ...
Read more

recursion - Can every recursive algorithm be improved with dynamic programming? -

i first year undergraduate csc student looking competitive programming. recursion involves defining , solving sub problems. understand, top down dynamic programming (dp) involves memoizing solutions sub problems reduce time complexity of algorithm. can top down dp used improve efficiency of every recursive algorithm overlapping sub problems? dp fail work , how can identify this? the short answer is: yes. however, there constraints. obvious 1 recursive calls must overlap. i.e. during execution of algorithm, recursive function must called multiple times same parameters. lets truncate recursion tree memoization. can use memoization reduce number of calls. however, reduction of calls comes price. need store results somewhere. next obvious constraint need have enough memory. comes not-so obvious constraint. memory access requires time. first need find result stored , maybe copy location. in cases, might faster let recursion calculate result instead of loading somewher...
Read more