I have a codebuild project that pulls code from Github. I am using cloudposse template
When I start the build, I get
VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation
I have found similar problem on SO. But in my case it did not work.
This is my terraform policy:
data "aws_iam_policy_document" "permissions" {
statement {
sid = ""
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:CreateNetworkInterface",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVpcEndpointService",
"ec2:ResetSnapshot"
]
effect = "Allow"
resources = [
"*",
]
}
statement {
actions = [
"ec2:CreateNetworkInterfacePermission"
]
effect = "Allow"
condition {
test = "StringEquals"
variable = "ec2:Subnet"
values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
}
condition {
test = "StringEquals"
variable = "ec2:AuthorizedService"
values = ["codebuild.amazonaws.com"]
}
resources = [
"arn:aws:ec2:*:*:network-interface/*"
]
}
}
And it generates this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"iam:PassRole",
"ecs:RunTask",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ec2:ResetSnapshot",
"ec2:ModifyVpcEndpointService",
"ec2:ModifySnapshotAttribute",
"ec2:DetachNetworkInterface",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeDhcpOptions",
"ec2:DeleteNetworkInterface",
"ec2:CreateNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
"arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
"arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
]
}
}
}
]
}
The only way I can make it to work is to add:
"ec2:*"
I would rather not do that, but fine grain the policy. What policy I need to add to make this work? this is driving me crazy for some time now...
Since you have wildcard in the subnet arn, could you try to change "StringEquals" to "StringLike"? It could be the root cause for this issue. Reference for the difference between "StringEquals" and "StringLike" can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
Thanks! Xin