Troubleshooting CodePipeline - AWS CodePipeline
Pipeline error: A pipeline configured with AWS Elastic Beanstalk returns an error message: "Deployment failed. The provided role does not have sufficient permissions: Service:AmazonElasticLoadBalancing"Deployment error: A pipeline configured with an AWS Elastic Beanstalk deploy action hangs instead of failing if the "DescribeEvents" permission is missingPipeline error: A source action returns the insufficient permissions message: "Could not access the CodeCommit repository repository-name. Make sure that the pipeline IAM role has sufficient permissions to access the repository."Pipeline error: A Jenkins build or test action runs for a long time and then fails due to lack of credentials or permissionsPipeline error: A pipeline created in one AWS Region using a bucket created in another AWS Region returns an "InternalError" with the code "JobFailed"Deployment error: A ZIP file that contains a WAR file is deployed successfully to AWS Elastic Beanstalk, but the application URL reports a 404 not found errorPipeline artifact folder names appear to be truncatedAdd CodeBuild GitClone permissions for connections to Bitbucket, GitHub, or GitHub Enterprise ServerAdd CodeBuild GitClone permissions for CodeCommit source actionsPipeline error: A deployment with the CodeDeployToECS action returns an error message: "Exception while trying to read the task definition artifact file from: <source artifact name>"GitHub version 2 source action: Unable to complete the connection for a repositoryNeed help with a different issue?

Troubleshooting CodePipeline

The following information might help you troubleshoot common issues in AWS CodePipeline.

Topics

Pipeline error: A pipeline configured with AWS Elastic Beanstalk returns an error message: "Deployment failed. The provided role does not have sufficient permissions: Service:AmazonElasticLoadBalancing"

Problem: The service role for CodePipeline does not have sufficient permissions for AWS Elastic Beanstalk, including, but not limited to, some operations in Elastic Load Balancing. The service role for CodePipeline was updated on August 6, 2015 to address this issue. Customers who created their service role before this date must modify the policy statement for their service role to add the required permissions.

Possible fixes: The easiest solution is to edit the policy statement for your service role as detailed in Add permissions to the CodePipeline service role.

After you apply the edited policy, follow the steps in Start a pipeline manually to manually rerun any pipelines that use Elastic Beanstalk.

Depending on your security needs, you can modify the permissions in other ways, too.

Deployment error: A pipeline configured with an AWS Elastic Beanstalk deploy action hangs instead of failing if the "DescribeEvents" permission is missing

Problem: The service role for CodePipeline must include the "elasticbeanstalk:DescribeEvents" action for any pipelines that use AWS Elastic Beanstalk. Without this permission, AWS Elastic Beanstalk deploy actions hang without failing or indicating an error. If this action is missing from your service role, then CodePipeline does not have permissions to run the pipeline deployment stage in AWS Elastic Beanstalk on your behalf.

Possible fixes: Review your CodePipeline service role. If the "elasticbeanstalk:DescribeEvents" action is missing, use the steps in Add permissions to the CodePipeline service role to add it using the Edit Policy feature in the IAM console.

After you apply the edited policy, follow the steps in Start a pipeline manually to manually rerun any pipelines that use Elastic Beanstalk.

Pipeline error: A source action returns the insufficient permissions message: "Could not access the CodeCommit repository repository-name. Make sure that the pipeline IAM role has sufficient permissions to access the repository."

Problem: The service role for CodePipeline does not have sufficient permissions for CodeCommit and likely was created before support for using CodeCommit repositories was added on April 18, 2016. Customers who created their service role before this date must modify the policy statement for their service role to add the required permissions.

Possible fixes: Add the required permissions for CodeCommit to your CodePipeline service role's policy. For more information, see Add permissions to the CodePipeline service role.

Pipeline error: A Jenkins build or test action runs for a long time and then fails due to lack of credentials or permissions

Problem: If the Jenkins server is installed on an Amazon EC2 instance, the instance might not have been created with an instance role that has the permissions required for CodePipeline. If you are using an IAM user on a Jenkins server, an on-premises instance, or an Amazon EC2 instance created without the required IAM role, the IAM user either does not have the required permissions, or the Jenkins server cannot access those credentials through the profile configured on the server.

Possible fixes: Make sure that Amazon EC2 instance role or IAM user is configured with the AWSCodePipelineCustomActionAccess managed policy or with the equivalent permissions. For more information, see AWS managed (predefined) policies for CodePipeline.

If you are using an IAM user, make sure the AWS profile configured on the instance uses the IAM user configured with the correct permissions. You might have to provide the IAM user credentials you configured for integration between Jenkins and CodePipeline directly into the Jenkins UI. This is not a recommended best practice. If you must do so, be sure the Jenkins server is secured and uses HTTPS instead of HTTP.

Pipeline error: A pipeline created in one AWS Region using a bucket created in another AWS Region returns an "InternalError" with the code "JobFailed"

Problem: The download of an artifact stored in an Amazon S3 bucket will fail if the pipeline and bucket are created in different AWS Regions.

Possible fixes: Make sure the Amazon S3 bucket where your artifact is stored is in the same AWS Region as the pipeline you have created.

Deployment error: A ZIP file that contains a WAR file is deployed successfully to AWS Elastic Beanstalk, but the application URL reports a 404 not found error

Problem: A WAR file is deployed successfully to an AWS Elastic Beanstalk environment, but the application URL returns a 404 Not Found error.

Possible fixes: AWS Elastic Beanstalk can unpack a ZIP file, but not a WAR file contained in a ZIP file. Instead of specifying a WAR file in your buildspec.yml file, specify a folder that contains the content to be deployed. For example:

version: 0.2 phases: post_build: commands: - mvn package - mv target/my-web-app ./ artifacts: files: - my-web-app/**/* discard-paths: yes

For an example, see AWS Elastic Beanstalk Sample for CodeBuild.

Pipeline artifact folder names appear to be truncated

Problem: When you view pipeline artifact names in CodePipeline, the names appear to be truncated. This can make the names appear to be similar or seem to no longer contain the entire pipeline name.

Explanation: CodePipeline truncates artifact names to ensure that the full Amazon S3 path does not exceed policy size limits when CodePipeline generates temporary credentials for job workers.

Even though the artifact name appears to be truncated, CodePipeline maps to the artifact bucket in a way that is not affected by artifacts with truncated names. The pipeline can function normally. This is not an issue with the folder or artifacts. There is a 100-character limit to pipeline names. Although the artifact folder name might appear to be shortened, it is still unique for your pipeline.

Add CodeBuild GitClone permissions for connections to Bitbucket, GitHub, or GitHub Enterprise Server

When you use an AWS CodeStar connection in a source action and a CodeBuild action, there are two ways the input artifact can be passed to the build:

  • The default: The source action produces a zip file that contains the code that CodeBuild downloads.

  • Git clone: The source code can be directly downloaded to the build environment.

    The Git clone mode allows you to interact with the source code as a working Git repository. To use this mode, you must grant your CodeBuild environment permissions to use the connection.

To add permissions to your CodeBuild service role policy, you create a customer-managed policy that you attach to your CodeBuild service role. The following steps create a policy where the UseConnection permission is specified in the action field, and the connection ARN is specified in the Resource field.

To use the console to add the UseConnection permissions

  1. To find the connection ARN for your pipeline, open your pipeline and click the (i) icon on your source action. You add the connection ARN to your CodeBuild service role policy.

    For this example, the connection ARN is:

    arn:aws:codestar-connections:eu-central-1:123456789123:connection/sample-1908-4932-9ecc-2ddacee15095
  2. To find your CodeBuild service role, open the build project used in your pipeline and navigate to the Build details tab.

  3. Choose the Service role link. This opens the IAM console where you can add a new policy that grants access to your connection.

  4. In the IAM console, choose Attach policies, and then choose Create policy.

    Use the following sample policy template. Add your connection ARN in the Resource field, as shown in this example:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codestar-connections:UseConnection", "Resource": "insert connection ARN here" } ] }

    On the JSON tab, paste your policy.

  5. Choose Review policy. Enter a name for the policy (for example, connection-permissions), and then choose Create policy.

  6. Return to the page where you were attaching permissions, refresh the policy list, and select the policy you just created. Choose Attach policies.

Add CodeBuild GitClone permissions for CodeCommit source actions

When your pipeline has a CodeCommit source action, there are two ways you can pass the input artifact to the build:

  • Default – The source action produces a zip file that contains the code that CodeBuild downloads.

  • Full clone – The source code can be directly downloaded to the build environment.

    The Full clone option allows you to interact with the source code as a working Git repository. To use this mode, you must add permissions for your CodeBuild environment to pull from your repository.

To add permissions to your CodeBuild service role policy, you create a customer-managed policy that you attach to your CodeBuild service role. The following steps create a policy that specifies the codecommit:GitPull permission in the action field.

To use the console to add the GitPull permissions

  1. To find your CodeBuild service role, open the build project used in your pipeline and navigate to the Build details tab.

  2. Choose the Service role link. This opens the IAM console where you can add a new policy that grants access to your repository.

  3. In the IAM console, choose Attach policies, and then choose Create policy.

  4. On the JSON tab, paste the following sample policy.

    { "Action": [ "codecommit:GitPull" ], "Resource": "*", "Effect": "Allow" },
  5. Choose Review policy. Enter a name for the policy (for example, codecommit-gitpull), and then choose Create policy.

  6. Return to the page where you were attaching permissions, refresh the policy list, and select the policy you just created. Choose Attach policies.

Pipeline error: A deployment with the CodeDeployToECS action returns an error message: "Exception while trying to read the task definition artifact file from: <source artifact name>"

Problem:

The maximum artifact ZIP size in the CodePipeline deploy action to ECS through CodeDeploy (the CodeDeployToECS action) is 3 MB. The following error message is returned when artifact sizes exceed 3 MB:

Exception while trying to read the task definition artifact file from: <source artifact name>

Possible fixes: Create an artifact with a compressed size less than 3 MB.

GitHub version 2 source action: Unable to complete the connection for a repository

Problem:

Because a connection to a GitHub repository uses the AWS Connector for GitHub, you need organization owner permissions or admin permissions to the repository to create the connection.

Possible fixes: For information about permission levels for a GitHub repository, see https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.

Need help with a different issue?

Try these other resources: