Open ArlindNocaj opened 1 year ago
It seems that the CodeBuildRole is not allowed to access the ssm parameter. setup: multi account cdk
see below
1 | [Container] 2022/09/30 18:08:49 going inside waitForAgent -- | -- 2 | [Container] 2022/09/30 18:08:49 Waiting for agent ping 3 | [Container] 2022/09/30 18:08:50 Waiting for DOWNLOAD_SOURCE 4 | [Container] 2022/09/30 18:08:52 Phase is DOWNLOAD_SOURCE 5 | [Container] 2022/09/30 18:08:52 finished waitForAgent 6 | [Container] 2022/09/30 18:08:52 inside CopySrc 7 | [Container] 2022/09/30 18:08:52 CODEBUILD_SRC_DIR=/codebuild/output/src345865697/src 8 | [Container] 2022/09/30 18:08:52 finished CopySrc 9 | [Container] 2022/09/30 18:08:52 YAML location is /codebuild/readonly/buildspec.yml 10 | [Container] 2022/09/30 18:08:52 Setting HTTP client timeout to higher timeout for S3 source 11 | [Container] 2022/09/30 18:08:52 Processing environment variables 12 | [Container] 2022/09/30 18:08:52 No runtime version selected in buildspec. 13 | [Container] 2022/09/30 18:08:54 Moving to directory /codebuild/output/src345865697/src 14 | [Container] 2022/09/30 18:08:54 Configuring ssm agent with target id: codebuild:882e8356-6095-49e9-8070-6ea8dfc45ce1 15 | [Container] 2022/09/30 18:08:54 Successfully updated ssm agent configuration 16 | [Container] 2022/09/30 18:08:54 Registering with agent 17 | [Container] 2022/09/30 18:08:54 Phases found in YAML: 1 18 | [Container] 2022/09/30 18:08:54 BUILD: 3 commands 19 | [Container] 2022/09/30 18:08:54 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED 20 | [Container] 2022/09/30 18:08:54 Phase context status code: Message: 21 | [Container] 2022/09/30 18:08:54 Entering execCommands 22 | [Container] 2022/09/30 18:08:54 Entering phase INSTALL 23 | [Container] 2022/09/30 18:08:54 Phase complete: INSTALL State: SUCCEEDED 24 | [Container] 2022/09/30 18:08:54 Phase context status code: Message: 25 | [Container] 2022/09/30 18:08:54 Entering phase PRE_BUILD 26 | [Container] 2022/09/30 18:08:54 Phase complete: PRE_BUILD State: SUCCEEDED 27 | [Container] 2022/09/30 18:08:54 Phase context status code: Message: 28 | [Container] 2022/09/30 18:08:54 Entering phase BUILD 29 | [Container] 2022/09/30 18:08:54 Running command npm install -g aws-cdk 30 | /usr/local/bin/cdk -> /usr/local/lib/node_modules/aws-cdk/bin/cdk 31 | npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/aws-cdk/node_modules/fsevents): 32 | npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) 33 | 34 | + aws-cdk@2.44.0 35 | added 1 package from 1 contributor in 3.132s 36 | 37 | [Container] 2022/09/30 18:09:12 Running command pip install -r requirements.txt 38 | Collecting aws-cdk-lib 39 | Downloading aws_cdk_lib-2.44.0-py3-none-any.whl (62.1 MB) 40 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.1/62.1 MB 34.1 MB/s eta 0:00:00 41 | Requirement already satisfied: boto3 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from -r requirements.txt (line 2)) (1.24.18) 42 | Collecting constructs 43 | Downloading constructs-10.1.117-py3-none-any.whl (56 kB) 44 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.5/56.5 kB 3.8 MB/s eta 0:00:00 45 | Collecting yamldataclassconfig 46 | Downloading yamldataclassconfig-1.5.0-py3-none-any.whl (12 kB) 47 | Collecting jsii<2.0.0,>=1.68.0 48 | Downloading jsii-1.69.0-py3-none-any.whl (554 kB) 49 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 554.7/554.7 kB 33.4 MB/s eta 0:00:00 50 | Collecting publication>=0.0.3 51 | Downloading publication-0.0.3-py2.py3-none-any.whl (7.7 kB) 52 | Collecting typeguard~=2.13.3 53 | Downloading typeguard-2.13.3-py3-none-any.whl (17 kB) 54 | Requirement already satisfied: botocore<1.28.0,>=1.27.18 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (1.27.18) 55 | Requirement already satisfied: s3transfer<0.7.0,>=0.6.0 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (0.6.0) 56 | Requirement already satisfied: jmespath<2.0.0,>=0.7.1 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (0.10.0) 57 | Requirement already satisfied: pyyaml in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from yamldataclassconfig->-r requirements.txt (line 4)) (5.4.1) 58 | Collecting dataclasses-json 59 | Downloading dataclasses_json-0.5.7-py3-none-any.whl (25 kB) 60 | Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (2.8.2) 61 | Requirement already satisfied: urllib3<1.27,>=1.25.4 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (1.26.9) 62 | Requirement already satisfied: attrs<23.0,>=21.2 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from jsii<2.0.0,>=1.68.0->aws-cdk-lib->-r requirements.txt (line 1)) (21.4.0) 63 | Requirement already satisfied: typing-extensions<5.0,>=3.7 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from jsii<2.0.0,>=1.68.0->aws-cdk-lib->-r requirements.txt (line 1)) (3.10.0.0) 64 | Collecting cattrs<22.2,>=1.8 65 | Downloading cattrs-22.1.0-py3-none-any.whl (33 kB) 66 | Collecting typing-inspect>=0.4.0 67 | Downloading typing_inspect-0.8.0-py3-none-any.whl (8.7 kB) 68 | Collecting marshmallow-enum<2.0.0,>=1.5.1 69 | Downloading marshmallow_enum-1.5.1-py2.py3-none-any.whl (4.2 kB) 70 | Collecting marshmallow<4.0.0,>=3.3.0 71 | Downloading marshmallow-3.18.0-py3-none-any.whl (48 kB) 72 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.8/48.8 kB 3.2 MB/s eta 0:00:00 73 | Collecting exceptiongroup 74 | Downloading exceptiongroup-1.0.0rc9-py3-none-any.whl (12 kB) 75 | Collecting packaging>=17.0 76 | Downloading packaging-21.3-py3-none-any.whl (40 kB) 77 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.8/40.8 kB 2.7 MB/s eta 0:00:00 78 | Requirement already satisfied: six>=1.5 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from python-dateutil<3.0.0,>=2.1->botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (1.16.0) 79 | Collecting mypy-extensions>=0.3.0 80 | Downloading mypy_extensions-0.4.3-py2.py3-none-any.whl (4.5 kB) 81 | Collecting pyparsing!=3.0.5,>=2.0.2 82 | Downloading pyparsing-3.0.9-py3-none-any.whl (98 kB) 83 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.3/98.3 kB 5.6 MB/s eta 0:00:00 84 | Installing collected packages: publication, mypy-extensions, typing-inspect, typeguard, pyparsing, exceptiongroup, packaging, cattrs, marshmallow, jsii, marshmallow-enum, constructs, dataclasses-json, aws-cdk-lib, yamldataclassconfig 85 | Successfully installed aws-cdk-lib-2.44.0 cattrs-22.1.0 constructs-10.1.117 dataclasses-json-0.5.7 exceptiongroup-1.0.0rc9 jsii-1.69.0 marshmallow-3.18.0 marshmallow-enum-1.5.1 mypy-extensions-0.4.3 packaging-21.3 publication-0.0.3 pyparsing-3.0.9 typeguard-2.13.3 typing-inspect-0.8.0 yamldataclassconfig-1.5.0 86 | WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv 87 | 88 | [notice] A new release of pip available: 22.1.2 -> 22.2.2 89 | [notice] To update, run: pip install --upgrade pip 90 | 91 | [Container] 2022/09/30 18:09:34 Running command cdk synth --no-lookups 92 | Traceback (most recent call last): 93 | File "/codebuild/output/src345865697/src/app.py", line 18, in <module> 94 | from deploy_endpoint.deploy_endpoint_stack import DeployEndpointStack 95 | File "/codebuild/output/src345865697/src/deploy_endpoint/deploy_endpoint_stack.py", line 31, in <module> 96 | from .get_approved_package import get_approved_package 97 | File "/codebuild/output/src345865697/src/deploy_endpoint/get_approved_package.py", line 21, in <module> 98 | from config.constants import DEFAULT_DEPLOYMENT_REGION, MODEL_PACKAGE_GROUP_NAME 99 | File "/codebuild/output/src345865697/src/config/constants.py", line 25, in <module> 100 | DEV_ACCOUNT = ssm_client.get_parameter(Name="/mlops/dev/account_id")["Parameter"]["Value"] 101 | File "/root/.pyenv/versions/3.9.12/lib/python3.9/site-packages/botocore/client.py", line 508, in _api_call 102 | return self._make_api_call(operation_name, kwargs) 103 | File "/root/.pyenv/versions/3.9.12/lib/python3.9/site-packages/botocore/client.py", line 915, in _make_api_call 104 | raise error_class(parsed_response, operation_name) 105 | botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::464573237931:assumed-role/SC-464573237931-pp-wtvyh6-deployCodeBuildRole3A87A-1VPK8Z8KK44OX/AWSCodeBuild-882e8356-6095-49e9-8070-6ea8dfc45ce1 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:464573237931:parameter/mlops/dev/account_id because no identity-based policy allows the ssm:GetParameter action 106 | 107 | Subprocess exited with error 1 108 | 109 | [Container] 2022/09/30 18:09:45 Command did not exit successfully cdk synth --no-lookups exit status 1 110 | [Container] 2022/09/30 18:09:45 Phase complete: BUILD State: FAILED 111 | [Container] 2022/09/30 18:09:45 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: cdk synth --no-lookups. Reason: exit status 1 112 | [Container] 2022/09/30 18:09:45 Entering phase POST_BUILD 113 | [Container] 2022/09/30 18:09:45 Phase complete: POST_BUILD State: SUCCEEDED 114 | [Container] 2022/09/30 18:09:45 Phase context status code: Message: 115 | [Container] 2022/09/30 18:09:45 exiting execCommands 116 | [Container] 2022/09/30 18:09:45 Expanding base directory path: cdk.out 117 | [Container] 2022/09/30 18:09:45 Assembling file list 118 | [Container] 2022/09/30 18:09:45 Expanding cdk.out 119 | [Container] 2022/09/30 18:09:45 Expanding file paths for base directory cdk.out 120 | [Container] 2022/09/30 18:09:45 Assembling file list 121 | [Container] 2022/09/30 18:09:45 Expanding **/* 122 | [Container] 2022/09/30 18:09:45 Phase complete: UPLOAD_ARTIFACTS State: FAILED 123 | [Container] 2022/09/30 18:09:45 Phase context status code: CLIENT_ERROR Message: no matching artifact paths found
It seems that the CodeBuildRole is not allowed to access the ssm parameter. setup: multi account cdk
see below