AWS CodeBuild VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation

You can also use StringLike in case it's not convenient for you to provide subnet id within the policy

{
  "Effect": "Allow",
  "Action": [
    "ec2:CreateNetworkInterfacePermission"
  ],
  "Resource": "arn:aws:ec2:*:*:network-interface/*",
  "Condition": {
    "StringLike": {
      "ec2:Subnet": [
        "arn:aws:ec2:*:*:subnet/*"
      ],
      "ec2:AuthorizedService": "codebuild.amazonaws.com"
    }
  }
}

It looks to me that CodeBuild service role is unable to create the ENI in VPC. The problem seems to be with this line in the CodeBuild role policy:

{
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": "ec2:CreateNetworkInterfacePermission",
    "Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
    "Condition": {
        "StringEquals": {
            "ec2:AuthorizedService": "codebuild.amazonaws.com",
            "ec2:Subnet": "subnet-124641af7a83bf872"     <================= Need full ARN here
        }
    }
},

Instead of:

"Condition": {
        "StringEquals": {
            "ec2:AuthorizedService": "codebuild.amazonaws.com",
            "ec2:Subnet": "subnet-124641af7a83bf872"
        }
}

try...

"Condition": {
    "StringEquals": {
    "ec2:Subnet": [
        "arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
    ],
    "ec2:AuthorizedService": "codebuild.amazonaws.com"
}

Details here: [1]

Ref: [1] Using Identity-Based Policies for CodeBuild - Allow CodeBuild Access to AWS Services Required to Create a VPC Network Interface - https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

AWS CodeBuild VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation

Tags:

Amazon Web Services

Aws Codebuild

Related

Recent Posts