On July 31, 2024, Amazon Web Services (AWS) will discontinue support for creating and viewing AWS CodeStar projects. After July 31, 2024, you will no longer be able to access the AWS CodeStar console or create new projects. However, the AWS resources created by AWS CodeStar, including your source repositories, pipelines, and builds, will be unaffected by this change and will continue to function. AWS CodeStar Connections and AWS CodeStar Notifications will not be impacted by this discontinuation.
If you wish to track work, develop code, and build, test, and deploy
your applications, Amazon CodeCatalyst provides a streamlined getting started
process and additional functionality to manage your software projects. Learn
more about functionality
Troubleshooting AWS CodeStar
The following information might help you troubleshoot common issues in AWS CodeStar.
Topics
- Project creation failure: A project was not created
- Project creation: I see an error when I try to edit Amazon EC2 configuration when creating a project
- Project deletion: An AWS CodeStar project was deleted, but resources still exist
- Team management failure: An IAM user could not be added to a team in an AWS CodeStar project
- Access failure: A federated user cannot access an AWS CodeStar project
- Access failure: A federated user cannot access or create an AWS Cloud9 environment
- Access failure: A federated user can create an AWS CodeStar project, but cannot view project resources
- Service role issue: The service role could not be created
- Service role issue: The service role is not valid or missing
- Project role issue: AWS Elastic Beanstalk health status checks fail for instances in an AWS CodeStar project
- Project role issue: A project role is not valid or missing
- Project extensions: Can't connect to JIRA
- GitHub: Can't access a repository's commit history, issues, or code
- AWS CloudFormation: Stack Creation Rolled Back for Missing Permissions
- AWS CloudFormation is not authorized to perform iam:PassRole on Lambda execution role
- Unable to create the connection for a GitHub repository
Project creation failure: A project was not created
Problem: When you try to create a project, you see a message that says the creation failed.
Possible fixes: The most common reasons for failure are:
-
A project with that ID already exists in your AWS account, possibly in a different AWS Region.
-
The IAM user you used to sign in to the AWS Management Console doesn't have the permissions required to create a project.
-
The AWS CodeStar service role is missing one or more required permissions.
-
You have reached the maximum limit for one or more resources for a project (such as the limit on customer managed policies in IAM, Amazon S3 buckets, or pipelines in CodePipeline).
Before you create a project, verify that you have the AWSCodeStarFullAccess
policy applied
to your IAM user. For more information, see
AWSCodeStarFullAccess Policy.
When you create a project, make sure that the ID is unique and meets the AWS CodeStar requirements. Be sure you selected the AWS CodeStar would like permission to administer AWS resources on your behalf check box.
To troubleshoot other issues, open the AWS CloudFormation console, choose the stack for the project
you tried to create, and choose the Events tab. There might be more
than one stack for a project. The stack names start with awscodestar-
and
are followed by the project ID. Stacks might be under the Deleted
filter view. Review any failure messages in the stack events and correct the issue
listed as the cause of those failures.
Project creation: I see an error when I try to edit Amazon EC2 configuration when creating a project
Problem: When you edit the Amazon EC2 configuration options during project creation, you see an error message or grayed-out option, and cannot continue with project creation.
Possible fixes: The most common reasons for an error message are:
-
The VPC in the AWS CodeStar project template (either the default VPC or the one used when the Amazon EC2 configuration was edited) has dedicated instance tenancy, and the instance type is not supported for dedicated instances. Choose a different instance type or a different Amazon VPC.
-
Your AWS account has no Amazon VPCs. You might have deleted the default VPC and not created any others. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
, choose Your VPCs, and make sure that you have at least one VPC configured. If not, create one. For more information, see Amazon Virtual Private Cloud Overview in the Amazon VPC Getting Started Guide. -
The Amazon VPC does not have any subnets. Choose a different VPC or create a subnet for the VPC. For more information, see VPC and Subnet Basics.
Project deletion: An AWS CodeStar project was deleted, but resources still exist
Problem: An AWS CodeStar project was deleted, but resources created for that project still exist. By default, AWS CodeStar deletes project resources when the project is deleted. Some resources, such as Amazon S3 buckets, are retained even if the user selects the Delete resources check box, because the buckets might contain data.
Possible fixes: Open the AWS CloudFormation consoleawscodestar-
and are followed by the project ID. The stacks might be
under the Deleted filter view. Review the events associated with
the stack to discover the resources created for the project. Open the console for each
of those resources in the AWS Region where you created the AWS CodeStar project, and then
manually delete the resources.
Project resources that might remain include:
-
One or more project buckets in Amazon S3. Unlike other project resources, project buckets in Amazon S3 are not deleted when the Delete associated AWS resources along with AWS CodeStar project check box is selected.
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
A source repository for your project in CodeCommit.
Open the CodeCommit console at https://console.aws.amazon.com/codecommit/
. -
A pipeline for your project in CodePipeline.
Open the CodePipeline console at https://console.aws.amazon.com/codepipeline/
. -
An application and associated deployment groups in CodeDeploy.
Open the CodeDeploy console at https://console.aws.amazon.com/codedeploy/
. -
An application and associated environments in AWS Elastic Beanstalk.
Open the Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/
. -
A function in AWS Lambda.
Open the AWS Lambda console at https://console.aws.amazon.com/lambda/
. -
One or more APIs in API Gateway.
Open the API Gateway console at https://console.aws.amazon.com/apigateway/
. -
One or more IAM policies or roles in IAM.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
An instance in Amazon EC2.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
One or more development environments in AWS Cloud9.
To view, access, and manage development environments, open the AWS Cloud9 console at https://console.aws.amazon.com/cloud9/
.
If your project uses resources outside of AWS (for example, a GitHub repository or issues in Atlassian JIRA), those resources are not deleted, even if the Delete associated AWS resources along with CodeStar project box is selected.
Team management failure: An IAM user could not be added to a team in an AWS CodeStar project
Problem: When you try to add a user to a project, you see an error message that says that the addition failed.
Possible fixes: The most common reason for this error is that the user has reached the limit of managed policies that can be applied to a user in IAM. You might also receive this error if you do not have the owner role in the AWS CodeStar project where you tried to add the user, or if the IAM user does not exist or was deleted.
Make sure you are signed in as an user who is an owner in that AWS CodeStar project. For more information, see Add Team Members to an AWS CodeStar Project .
To troubleshoot other issues, open the IAM console, choose the user you tried to add, and check how many managed policies are applied to that IAM user.
For more information, see Limitations on IAM Entities and Objects. For limits that can be changed, see AWS Service Limits.
Access failure: A federated user cannot access an AWS CodeStar project
Problem: A federated user is unable to see projects in the AWS CodeStar console.
Possible fixes: If you are signed in as a federated user, make sure you have the appropriate managed policy attached to the role you assume to sign in. For more information, see Attach Your Project's AWS CodeStar Viewer/Contributor/Owner Managed Policy to the Federated User's Role.
Add federated users to your AWS Cloud9 environment by manually attaching policies. See Attach an AWS Cloud9 Managed Policy to the Federated User's Role.
Access failure: A federated user cannot access or create an AWS Cloud9 environment
Problem: A federated user is unable to see or create an AWS Cloud9 environment in the AWS Cloud9 console.
Possible fixes: If you are signed in as a federated user, make sure you have the appropriate managed policy attached to the federated user's role.
You add federated users to your AWS Cloud9 environment by manually attaching policies to the federated user's role. See Attach an AWS Cloud9 Managed Policy to the Federated User's Role.
Access failure: A federated user can create an AWS CodeStar project, but cannot view project resources
Problem: A federated user was able to create a project, but cannot view project resources, such as the project pipeline.
Possible fixes: If you have attached the
AWSCodeStarFullAccess
managed policy, you have permissions to
create a project in AWS CodeStar. However, to access all project resources, you must attach the
owner managed policy.
After AWS CodeStar creates the project resources, project permissions to all project resources are available in the owner, contributer, and viewer managed policies. To access all of the resources, you must manually attach the owner policy to your role. See Step 3: Configure the User's IAM Permissions.
Service role issue: The service role could not be created
Problem: When you try to create a project in AWS CodeStar, you see a message that prompts you to create the service role. When you choose the option to create it, you see an error.
Possible fixes: The most common reason for this error
is that you are signed in to AWS with an account that does not have sufficient
permissions to create the service role. To create the AWS CodeStar service role
(aws-codestar-service-role
), you must be signed in as an administrative user
or with a root account. Sign out of the console, and sign in with an IAM user that has
the AdministratorAccess
managed policy applied.
Service role issue: The service role is not valid or missing
Problem: When you open the AWS CodeStar console, you see a message that says the AWS CodeStar service role is missing or not valid.
Possible fixes: The most common reason for this error
is that an administrative user edited or deleted the service role
(aws-codestar-service-role
). If the service role was deleted, you are prompted
to create it. You must be signed in as an administrative user or with a root account to
create the role. If the role was edited, it is no longer valid. Sign in to the IAM
console as an administrative user, find the service role in the list of roles, and
delete it. Switch to the AWS CodeStar console and follow the instructions to create the service
role.
Project role issue: AWS Elastic Beanstalk health status checks fail for instances in an AWS CodeStar project
Problem: If you created an AWS CodeStar project that includes Elastic Beanstalk before September 22, 2017, Elastic Beanstalk health status checks might fail. If you have not changed the Elastic Beanstalk configuration since you created the project, the health status check fails and reports a gray state. Despite the health check failure, your application should still run as expected. If you changed the Elastic Beanstalk configuration since you created the project, the health status check fails, and your application might not run correctly.
Fix: One or more IAM roles are missing required IAM policy statements. Add the missing policies to the affected roles in your AWS account.
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. (If you cannot do this, see your AWS account administrator for assistance.)
-
In the navigation pane, choose Roles.
-
In the list of roles, choose CodeStarWorker-
Project-ID
-EB, whereProject-ID
is the ID of one of the affected projects. (If you cannot easily find a role in the list, enter some or all of the role's name in the Search box.) -
On the Permissions tab, choose Attach Policy.
-
In the list of policies, select AWSElasticBeanstalkEnhancedHealth and AWSElasticBeanstalkService. (If you cannot easily find a policy in the list, enter some or all of the policy's name in the search box.)
-
Choose Attach Policy.
-
Repeat steps 3 through 6 for each affected role that has a name following the pattern CodeStarWorker-
Project-ID
-EB.
Project role issue: A project role is not valid or missing
Problem: When you try to add a user to a project, you see an error message that says the addition failed because the policy for a project role is either missing or not valid.
Possible fixes: The most common reason for this error is that one or more project policies was edited in or deleted from IAM. Project policies are unique to AWS CodeStar projects and cannot be recreated. The project cannot be used. Create a project in AWS CodeStar, and then migrate data to the new project. Clone project code from the unusable project's repository, and push that code to the new project's repository. Copy team wiki information from the old project to the new project. Add users to the new project. When you are sure you have migrated all data and settings, delete the unusable project.
Project extensions: Can't connect to JIRA
Problem: When you use the Atlassian JIRA extension to try to connect an AWS CodeStar project to a JIRA instance, the following message is displayed: "The URL is not a valid JIRA URL. Verify that the URL is correct."
Possible fixes:
-
Make sure the JIRA URL is correct, and then try connecting again.
-
Your self-hosted JIRA instance might not be accessible from the public internet. Contact your network administrator to make sure your JIRA instance can be accessed from the public internet, and then try connecting again.
GitHub: Can't access a repository's commit history, issues, or code
Problem: In the dashboard for a project that stores its code in GitHub, the Commit history and GitHub Issues tiles display a connection error, or choosing Open in GitHub or Create issue in these tiles displays an error.
Possible causes:
-
The AWS CodeStar project might no longer have access to the GitHub repository.
-
The repository might have been deleted or renamed in GitHub.
AWS CloudFormation: Stack Creation Rolled Back for Missing Permissions
After you add a resource to the template.yml
file, view the
AWS CloudFormation stack update for any error messages. The stack update fails if certain
criteria are not met (for example, when required resource permissions are
missing).
Note
As of May 2, 2019, we have updated the AWS CloudFormation worker role policy for all existing projects. This update reduces the scope of access permissions granted to your project pipeline for improved security in your projects.
To troubleshoot, view the failure status in the AWS CodeStar dashboard view for your project's pipeline.
Next, choose the CloudFormation link in your pipeline's Deploy stage to troubleshoot the failure in the AWS CloudFormation console. To view stack creation details, expand the Events list for your project and view any failure messages. The message indicates which permission is missing. Correct the AWS CloudFormation worker role policy and then execute your pipeline again.
AWS CloudFormation is not authorized to perform iam:PassRole on Lambda execution role
If you have a project created before December 6, 2018 PDT that creates Lambda functions, you might see a AWS CloudFormation error like this:
User: arn:aws:sts::
id
:assumed-role/CodeStarWorker-project-id
-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::id
:role/CodeStarWorker-project-id
-Lambda (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID:id
)
This error occurs because your AWS CloudFormation worker role does not have permission to pass a role for provisioning your new Lambda function.
To fix this error, you will need to update your AWS CloudFormation worker role policy with the following snippet.
{ "Action":[ "iam:PassRole" ], "Resource": [ "arn:aws:iam::
account-id
:role/CodeStarWorker-project-id
-Lambda", ], "Effect": "Allow" }
After you update the policy, execute your pipeline again.
Alternatively, you can use a custom role for your Lambda function by adding a permissions boundary to your project, as described in Add an IAM Permissions Boundary to Existing Projects
Unable to create the connection for a GitHub repository
Problem:
Because a connection to a GitHub repository uses the AWS Connector for GitHub, you need organization owner permissions or admin permissions to the repository to create the connection.
Possible fixes: For information about permission
levels for a GitHub repository, see https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization