ecs-blue-green-deployment icon indicating copy to clipboard operation
ecs-blue-green-deployment copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

S3 permissions error

Open DavidRileyZip opened this issue 5 years ago • 5 comments

Hi,

I realise this is a fairly old demo now but I was surprised when it didn't work out of the box.

I tried to create the stack on the fargate branch in eu-west-2 so had to update the TemplateURL fields to:

https://${TemplateBucket}.s3.eu-west-2.amazonaws.com/templates/vpc.yaml

This meant the stack creation could progress further, but still failed to create the DeploymentPipeline stack with the following error for the LoadBalancer resource:

S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

I then added s3:* to the inline policy within CloudFormationExecutionRole, but I am still seeing the above error.

Can anyone verify that they can get this stack working?

Thank you

David

DavidRileyZip avatar Jun 30 '20 15:06 DavidRileyZip

@DavidRileyZip I had the same issue with access denied errors, I had to allow the s3 deployment bucket for the demo to have public ACLs. Not the best setup but to run the demo it got things moving.

zswanson avatar Sep 19 '20 14:09 zswanson

So, it's been a while but I wanted to share that I could workaround this issue by modifying the script bin/deploy and deleting the flag --acl public-read for all occurrences. Hope it helps.

emolvera avatar May 06 '21 01:05 emolvera

So, it's been a while but I wanted to share that I could workaround this issue by modifying the script bin/deploy and deleting the flag --acl public-read for all occurrences. Hope it helps.

I also had to add the following to templates/deployment-pipeline.yaml, on line 120 under Action: - s3:*

emolvera avatar May 06 '21 01:05 emolvera

I faced the same issue as DavidRileyZip did and deleted the --acl public-read arg.

Problem is that you can't do this workshop if you are working in a provisoned aws environment (for me distributed by my company) where giving public access to s3 is generally forbidden. Therefor you can't extend public access on any bucket that is created in that provisioned account.

Maybe you should think about rewriting the instructions without using the --acl public-read flag?

Seppo007 avatar Dec 03 '21 21:12 Seppo007

I faced the same issue as of 05/2023. The repo is old and not maintained anymore. The Deployment-Pipeline template is outdated as well. Here is the new repo and tutorial if anyone wants to follow - New Repo - https://github.com/aws-containers/ecs-workshop-blue-green-deployments Tutorial at https://ecsworkshop.com/blue_green_deployments

hsiddhu2 avatar May 23 '23 03:05 hsiddhu2