Hey everyone, I'm having a real head-scratcher with my AWS CodeBuild pipeline that's set up within an AWS Organizations account. The pipeline consistently crashes during the "apply" phase, and I'm getting the following error in the logs: 'CodeBuild is not authorized to perform iam:CreateRole on a resource with an explicit deny on SCP.' My admin and I have thoroughly checked the Service Control Policies (SCPs) for the affected account and its parent Organizational Units (OUs), and we couldn't find any explicit deny statements for the iam:CreateRole action.
The IAM role that CodeBuild uses has the correct permissions for creating roles, and there's a permissions boundary that allows this action under specific conditions. The role we're trying to create also meets all the necessary criteria. On top of that, I haven't been able to find any relevant logs in CloudTrail, which just adds to the confusion. So my questions to you are: 1) Has anyone experienced a situation where CloudTrail fails to log an AccessDenied event? 2) Could there be some hidden interaction with SCPs or permissions boundaries that leads to this deny? 3) Is it possible some configuration in AWS Organizations or Control Tower could be at play? Any guidance would be greatly appreciated!
4 Answers
By the way, are you using the AWS Landing Zone Accelerator? It could be relevant to the permissions boundary and IAM setup you're dealing with. Just a thought!
Honestly, this kind of issue is tricky and might be beyond what you can troubleshoot yourself. Consider opening a support ticket with AWS from both your Organization Account and the Member Account. Also, remember that just because there are no explicit denies doesn’t mean something isn’t being blocked. Maybe a NotAction in your SCPs isn't allowing what you need.
Have you checked for SCPs at the organizational root level? If you haven't, it's worth looking into. Sometimes, a deny can lurk higher up than you expect. That being said, it's puzzling to see an AccessDenied without clear deny statements in your SCPs. Maybe there’s more to the CodeBuild logging than we realize? Perhaps dive into the AWS documentation on how these logs work.
Look out for any SCPs that might be denying actions with a NotAction clause that excludes iam actions. That could be causing your issue without being obvious. Sometimes the complex interactions with SCPs can lead to unexpected behavior.
Related Questions
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically
[Centos] Delete All Files And Folders That Contain a String