terraform-aws-gitlab-runner icon indicating copy to clipboard operation
terraform-aws-gitlab-runner copied to clipboard

Published 20 hours ago verified publisher icon cattle-ops

Cache access denied due to ListBucket not allowed in the cache policy

Open nexonen opened this issue 5 months ago • 0 comments
trafficstars

GitLab runner version 18.0.2

I'm seeing that the runner is unable to pull the cache, with this error:

Checking cache for default-protected...
WARNING: received: 403 Forbidden. Request failed with code: AccessDenied, message: User: arn:aws:sts::xxxxxxxxx:assumed-role/xxxxxxxx-eu-west-1-linux-instance/i-055ca2376917ae809 is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::xxxxxxxx-eu-west-1-linux-xxxxxxxxx-gitlab-runner-cache" because no identity-based policy allows the s3:ListBucket action 
Failed to extract cache

I was able to fix this problem by modifying the cache.json policy to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allowGitLabRunnersAccessCache",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetObject",
        "s3:GetObjectAcl"
      ],
      "Resource": ["${s3_cache_arn}/*"]
    },
    {
      "Sid": "allowGitLabRunnersListCache",
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["${s3_cache_arn}"]
    }
  ]
}

After doing this I ran the job again and confirmed it could now pull from the cache.

Additional context

Using docker-autoscaler.

nexonen avatar May 30 '25 10:05 nexonen