deployCDKSynthBuild fails due to missing access for ssm:getParameter for CodeBuildRole

[ArlindNocaj]

It seems that the CodeBuildRole is not allowed to access the ssm parameter.
setup: multi account cdk

see below

1 | [Container] 2022/09/30 18:08:49 going inside waitForAgent
-- | --
2 | [Container] 2022/09/30 18:08:49 Waiting for agent ping
3 | [Container] 2022/09/30 18:08:50 Waiting for DOWNLOAD_SOURCE
4 | [Container] 2022/09/30 18:08:52 Phase is DOWNLOAD_SOURCE
5 | [Container] 2022/09/30 18:08:52 finished waitForAgent
6 | [Container] 2022/09/30 18:08:52 inside CopySrc
7 | [Container] 2022/09/30 18:08:52 CODEBUILD_SRC_DIR=/codebuild/output/src345865697/src
8 | [Container] 2022/09/30 18:08:52 finished CopySrc
9 | [Container] 2022/09/30 18:08:52 YAML location is /codebuild/readonly/buildspec.yml
10 | [Container] 2022/09/30 18:08:52 Setting HTTP client timeout to higher timeout for S3 source
11 | [Container] 2022/09/30 18:08:52 Processing environment variables
12 | [Container] 2022/09/30 18:08:52 No runtime version selected in buildspec.
13 | [Container] 2022/09/30 18:08:54 Moving to directory /codebuild/output/src345865697/src
14 | [Container] 2022/09/30 18:08:54 Configuring ssm agent with target id: codebuild:882e8356-6095-49e9-8070-6ea8dfc45ce1
15 | [Container] 2022/09/30 18:08:54 Successfully updated ssm agent configuration
16 | [Container] 2022/09/30 18:08:54 Registering with agent
17 | [Container] 2022/09/30 18:08:54 Phases found in YAML: 1
18 | [Container] 2022/09/30 18:08:54  BUILD: 3 commands
19 | [Container] 2022/09/30 18:08:54 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
20 | [Container] 2022/09/30 18:08:54 Phase context status code:  Message:
21 | [Container] 2022/09/30 18:08:54 Entering execCommands
22 | [Container] 2022/09/30 18:08:54 Entering phase INSTALL
23 | [Container] 2022/09/30 18:08:54 Phase complete: INSTALL State: SUCCEEDED
24 | [Container] 2022/09/30 18:08:54 Phase context status code:  Message:
25 | [Container] 2022/09/30 18:08:54 Entering phase PRE_BUILD
26 | [Container] 2022/09/30 18:08:54 Phase complete: PRE_BUILD State: SUCCEEDED
27 | [Container] 2022/09/30 18:08:54 Phase context status code:  Message:
28 | [Container] 2022/09/30 18:08:54 Entering phase BUILD
29 | [Container] 2022/09/30 18:08:54 Running command npm install -g aws-cdk
30 | /usr/local/bin/cdk -> /usr/local/lib/node_modules/aws-cdk/bin/cdk
31 | npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/aws-cdk/node_modules/fsevents):
32 | npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
33 |  
34 | + aws-cdk@2.44.0
35 | added 1 package from 1 contributor in 3.132s
36 |  
37 | [Container] 2022/09/30 18:09:12 Running command pip install -r requirements.txt
38 | Collecting aws-cdk-lib
39 | Downloading aws_cdk_lib-2.44.0-py3-none-any.whl (62.1 MB)
40 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.1/62.1 MB 34.1 MB/s eta 0:00:00
41 | Requirement already satisfied: boto3 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from -r requirements.txt (line 2)) (1.24.18)
42 | Collecting constructs
43 | Downloading constructs-10.1.117-py3-none-any.whl (56 kB)
44 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 56.5/56.5 kB 3.8 MB/s eta 0:00:00
45 | Collecting yamldataclassconfig
46 | Downloading yamldataclassconfig-1.5.0-py3-none-any.whl (12 kB)
47 | Collecting jsii<2.0.0,>=1.68.0
48 | Downloading jsii-1.69.0-py3-none-any.whl (554 kB)
49 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 554.7/554.7 kB 33.4 MB/s eta 0:00:00
50 | Collecting publication>=0.0.3
51 | Downloading publication-0.0.3-py2.py3-none-any.whl (7.7 kB)
52 | Collecting typeguard~=2.13.3
53 | Downloading typeguard-2.13.3-py3-none-any.whl (17 kB)
54 | Requirement already satisfied: botocore<1.28.0,>=1.27.18 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (1.27.18)
55 | Requirement already satisfied: s3transfer<0.7.0,>=0.6.0 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (0.6.0)
56 | Requirement already satisfied: jmespath<2.0.0,>=0.7.1 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from boto3->-r requirements.txt (line 2)) (0.10.0)
57 | Requirement already satisfied: pyyaml in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from yamldataclassconfig->-r requirements.txt (line 4)) (5.4.1)
58 | Collecting dataclasses-json
59 | Downloading dataclasses_json-0.5.7-py3-none-any.whl (25 kB)
60 | Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (2.8.2)
61 | Requirement already satisfied: urllib3<1.27,>=1.25.4 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (1.26.9)
62 | Requirement already satisfied: attrs<23.0,>=21.2 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from jsii<2.0.0,>=1.68.0->aws-cdk-lib->-r requirements.txt (line 1)) (21.4.0)
63 | Requirement already satisfied: typing-extensions<5.0,>=3.7 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from jsii<2.0.0,>=1.68.0->aws-cdk-lib->-r requirements.txt (line 1)) (3.10.0.0)
64 | Collecting cattrs<22.2,>=1.8
65 | Downloading cattrs-22.1.0-py3-none-any.whl (33 kB)
66 | Collecting typing-inspect>=0.4.0
67 | Downloading typing_inspect-0.8.0-py3-none-any.whl (8.7 kB)
68 | Collecting marshmallow-enum<2.0.0,>=1.5.1
69 | Downloading marshmallow_enum-1.5.1-py2.py3-none-any.whl (4.2 kB)
70 | Collecting marshmallow<4.0.0,>=3.3.0
71 | Downloading marshmallow-3.18.0-py3-none-any.whl (48 kB)
72 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.8/48.8 kB 3.2 MB/s eta 0:00:00
73 | Collecting exceptiongroup
74 | Downloading exceptiongroup-1.0.0rc9-py3-none-any.whl (12 kB)
75 | Collecting packaging>=17.0
76 | Downloading packaging-21.3-py3-none-any.whl (40 kB)
77 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.8/40.8 kB 2.7 MB/s eta 0:00:00
78 | Requirement already satisfied: six>=1.5 in /root/.pyenv/versions/3.9.12/lib/python3.9/site-packages (from python-dateutil<3.0.0,>=2.1->botocore<1.28.0,>=1.27.18->boto3->-r requirements.txt (line 2)) (1.16.0)
79 | Collecting mypy-extensions>=0.3.0
80 | Downloading mypy_extensions-0.4.3-py2.py3-none-any.whl (4.5 kB)
81 | Collecting pyparsing!=3.0.5,>=2.0.2
82 | Downloading pyparsing-3.0.9-py3-none-any.whl (98 kB)
83 | ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.3/98.3 kB 5.6 MB/s eta 0:00:00
84 | Installing collected packages: publication, mypy-extensions, typing-inspect, typeguard, pyparsing, exceptiongroup, packaging, cattrs, marshmallow, jsii, marshmallow-enum, constructs, dataclasses-json, aws-cdk-lib, yamldataclassconfig
85 | Successfully installed aws-cdk-lib-2.44.0 cattrs-22.1.0 constructs-10.1.117 dataclasses-json-0.5.7 exceptiongroup-1.0.0rc9 jsii-1.69.0 marshmallow-3.18.0 marshmallow-enum-1.5.1 mypy-extensions-0.4.3 packaging-21.3 publication-0.0.3 pyparsing-3.0.9 typeguard-2.13.3 typing-inspect-0.8.0 yamldataclassconfig-1.5.0
86 | WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
87 |  
88 | [notice] A new release of pip available: 22.1.2 -> 22.2.2
89 | [notice] To update, run: pip install --upgrade pip
90 |  
91 | [Container] 2022/09/30 18:09:34 Running command cdk synth --no-lookups
92 | Traceback (most recent call last):
93 | File "/codebuild/output/src345865697/src/app.py", line 18, in <module>
94 | from deploy_endpoint.deploy_endpoint_stack import DeployEndpointStack
95 | File "/codebuild/output/src345865697/src/deploy_endpoint/deploy_endpoint_stack.py", line 31, in <module>
96 | from .get_approved_package import get_approved_package
97 | File "/codebuild/output/src345865697/src/deploy_endpoint/get_approved_package.py", line 21, in <module>
98 | from config.constants import DEFAULT_DEPLOYMENT_REGION, MODEL_PACKAGE_GROUP_NAME
99 | File "/codebuild/output/src345865697/src/config/constants.py", line 25, in <module>
100 | DEV_ACCOUNT = ssm_client.get_parameter(Name="/mlops/dev/account_id")["Parameter"]["Value"]
101 | File "/root/.pyenv/versions/3.9.12/lib/python3.9/site-packages/botocore/client.py", line 508, in _api_call
102 | return self._make_api_call(operation_name, kwargs)
103 | File "/root/.pyenv/versions/3.9.12/lib/python3.9/site-packages/botocore/client.py", line 915, in _make_api_call
104 | raise error_class(parsed_response, operation_name)
105 | botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::464573237931:assumed-role/SC-464573237931-pp-wtvyh6-deployCodeBuildRole3A87A-1VPK8Z8KK44OX/AWSCodeBuild-882e8356-6095-49e9-8070-6ea8dfc45ce1 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:464573237931:parameter/mlops/dev/account_id because no identity-based policy allows the ssm:GetParameter action
106 |  
107 | Subprocess exited with error 1
108 |  
109 | [Container] 2022/09/30 18:09:45 Command did not exit successfully cdk synth --no-lookups exit status 1
110 | [Container] 2022/09/30 18:09:45 Phase complete: BUILD State: FAILED
111 | [Container] 2022/09/30 18:09:45 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: cdk synth --no-lookups. Reason: exit status 1
112 | [Container] 2022/09/30 18:09:45 Entering phase POST_BUILD
113 | [Container] 2022/09/30 18:09:45 Phase complete: POST_BUILD State: SUCCEEDED
114 | [Container] 2022/09/30 18:09:45 Phase context status code:  Message:
115 | [Container] 2022/09/30 18:09:45 exiting execCommands
116 | [Container] 2022/09/30 18:09:45 Expanding base directory path: cdk.out
117 | [Container] 2022/09/30 18:09:45 Assembling file list
118 | [Container] 2022/09/30 18:09:45 Expanding cdk.out
119 | [Container] 2022/09/30 18:09:45 Expanding file paths for base directory cdk.out
120 | [Container] 2022/09/30 18:09:45 Assembling file list
121 | [Container] 2022/09/30 18:09:45 Expanding **/*
122 | [Container] 2022/09/30 18:09:45 Phase complete: UPLOAD_ARTIFACTS State: FAILED
123 | [Container] 2022/09/30 18:09:45 Phase context status code: CLIENT_ERROR Message: no matching artifact paths found