S3 permissions error - Githubissues

aws-samples / ecs-blue-green-deployment

Reference architecture for doing blue green deployments on ECS.

Apache License 2.0

462 stars 473 forks source link

S3 permissions error #14

Open DavidRileyZip opened 4 years ago

DavidRileyZip commented 4 years ago

Hi,

I realise this is a fairly old demo now but I was surprised when it didn't work out of the box.

I tried to create the stack on the fargate branch in eu-west-2 so had to update the TemplateURL fields to:

https://${TemplateBucket}.s3.eu-west-2.amazonaws.com/templates/vpc.yaml

This meant the stack creation could progress further, but still failed to create the DeploymentPipeline stack with the following error for the LoadBalancer resource:

S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

I then added s3:* to the inline policy within CloudFormationExecutionRole, but I am still seeing the above error.

Can anyone verify that they can get this stack working?

Thank you

David

zswanson commented 3 years ago

@DavidRileyZip I had the same issue with access denied errors, I had to allow the s3 deployment bucket for the demo to have public ACLs. Not the best setup but to run the demo it got things moving.

emolvera commented 3 years ago

So, it's been a while but I wanted to share that I could workaround this issue by modifying the script bin/deploy and deleting the flag --acl public-read for all occurrences. Hope it helps.

emolvera commented 3 years ago

So, it's been a while but I wanted to share that I could workaround this issue by modifying the script bin/deploy and deleting the flag --acl public-read for all occurrences. Hope it helps.

I also had to add the following to templates/deployment-pipeline.yaml, on line 120 under Action: - s3:*

Seppo007 commented 2 years ago

I faced the same issue as DavidRileyZip did and deleted the --acl public-read arg.

Problem is that you can't do this workshop if you are working in a provisoned aws environment (for me distributed by my company) where giving public access to s3 is generally forbidden. Therefor you can't extend public access on any bucket that is created in that provisioned account.

Maybe you should think about rewriting the instructions without using the --acl public-read flag?

hsiddhu2 commented 1 year ago

I faced the same issue as of 05/2023. The repo is old and not maintained anymore. The Deployment-Pipeline template is outdated as well. Here is the new repo and tutorial if anyone wants to follow - New Repo - https://github.com/aws-containers/ecs-workshop-blue-green-deployments Tutorial at https://ecsworkshop.com/blue_green_deployments