S3 deployment is failing in bitbucket pipelines

Gulshan kumar February 11, 2020

I'm trying to deploy a static website on s3 bucket through bitbucket pipelines but getting Access Denied error on PutObject operation.

The bucket doesn't have public access, it serves through CloudFront distributions.

 

VERIFIED CHECKS:

  1. IAM user access
    • AmazonS3FullAccess
  2. Repository variables
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • QA_BUCKET
  3. Cloudfront distribution
    • Pointed to the correct bucket
    • Allowed HTTP Methods
      • GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
    • bucket policy
  4. Basic auth:
    • Through AWS Lambda
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::qa.polarunicorn.com/*"
}
]
}

 

bitbucket-pipelines.yml

image: node:10.15.3

pipelines:
custom:
qa:
- step:
name: QA - Install, test and build
caches:
- node
script:
- yarn
- yarn test
- yarn build:dev
artifacts:
- dist/**
- step:
name: QA - Deploy on S3
deployment: test
script:
- pipe: atlassian/aws-s3-deploy:0.3.7
variables:
AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION: '$AWS_REGION_NAME'
S3_BUCKET: '$QA_BUCKET'
ACL: 'public-read'
LOCAL_PATH: 'dist'
DELETE_FLAG: 'true'

 

Pipeline's build status:

build-failing.png

 

I find and tried all the possible solutions but not able to catch the actual issue here because everything looks good, as expected... ☹️

  

2 answers

1 accepted

1 vote
Answer accepted
Alexander Zhukov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 18, 2020

Hi @Gulshan kumar do you have any other Bucket ACLs, IAM Policies or Bucket Policies configured? Does the IAM user owns the bucket and/or objects that you try to update?

Gulshan kumar February 19, 2020

Thanks for the update @Alexander Zhukov and I just found the issue and it requires a minor change, just needs to update the ACL value in the bitbucket-pipelines.yml as:

ACL: 'bucket-owner-full-control'

and earlier, I was using

ACL: 'public-read'

(check in the question above)

 

---

All the valid values are:

private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | private

Default: private
Like # people like this
0 votes
Helton souza November 10, 2021

Is there any way it can mistakenly update all my buckets?

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events