Photo by Kyle Glenn on Unsplash

Solving permissions error with AWS CodePipeline

Unable to use Connection: arn:aws:codestar-connections — The provided role does not have sufficient permissions

I recently encountered a problem when trying to use AWS’s new CodeCommit Github connector (Version 2) with a pipeline that I set up a couple of years ago.

The Version 2 source method creates an AWS connector within Github that allows AWS to access certain repositories, depending on permissions that you define.

I set up the connection and all went without much of a hitch, but when I came to release a change within CodePipeline and it attempted to fetch the code from Github, the pipeline failed with the following message:

Unable to use Connection: arn:aws:codestar-connections — The provided role does not have sufficient permissions

When you create a CodePipeline, you create a role within IAM that gives the pipeline the permissions to access and modify all of the necessary assets to fetch, build and deploy your code. Mine is called AWSCodePipelineServiceRole.

For pipelines set up before AWS started providing support for the Version 2 Github connections (which use AWS CodeStar), the roles associated with those pipelines do not have the role permissions to use the new CodeStar connection.

To solve the problem you just need to go to your CodePipeline service role and add these policies to it:

{
    "Action": [
        "codestar-connections:UseConnection"
    ],
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": [
        "appconfig:StartDeployment",
        "appconfig:GetDeployment",
        "appconfig:StopDeployment"
    ],
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": [
        "codecommit:GetRepository"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

I found the description of this here, but as seems to often be the case with AWS it wasn’t very clear from the error message — especially considering that it seems to be a known gotcha… So I hope this saves you some time!

NOTE: One other thing that I did before I could get it to work was that I visited the CodeStar homepage searching for the source of this issue, and I was prompted to create a default CodeStar IAM Role, which I did — I’m not sure if this is necessary to solve the problem addressed in this article, but I guess it can’t hurt to do it anyway 🤷‍♂️.