I used the single click script and followed the indicated instructions.
But the "App" action in the "Source" stage is in error :
Insufficient permissions
The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named pre-reqs-artifactbucket-xxxxxxxxx.
Update the IAM role permissions, and then try again.
Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:...
I can't see precisely which service role or action role as my account is restricted on CloudTrail access.
The bucket policy in the tools account seems to be ok with the real account numbers (but here in github with : dev = 123456789012, tools : 234567890123)
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/ToolsAcctCodePipelineCodeCommitRole",
"arn:aws:iam::234567890123:role/sample-lambda-CodeBuildRole"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::pre-reqs-artifactbucket-xxxxxxxxxxxx",
"arn:aws:s3:::pre-reqs-artifactbucket-xxxxxxxxxxxx/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codecommit:BatchGetRepositories",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*",
"codecommit:CancelUploadArchive",
"codecommit:UploadArchive",
"s3:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:*"
],
"Resource": "arn:aws:kms:eu-west-1:234567890123:alias/codepipeline-crossaccounts",
"Effect": "Allow"
}
]
}