Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS CodeBuild failing due to UNAUTHORIZED_OPERATION_DELETE_NETWORK_INTERFACE error

Tags:

amazon-web-services

amazon-iam

aws-codebuild

I have a CodeBuild service that gets this error

UNAUTHORIZED_OPERATION_DELETE_NETWORK_INTERFACE: The service role is not authorized to perform ec2:DeleteNetworkInterface

The service role that I am using has the necessary permissions for ec2:DeleteNetworkInterface, but it is blocked by a global deny policy - which has been fine until recently because previously CodeBuild has been running DeleteNetworkInterface with the --dry-run flag. It is just checking that I have the permissions instead of actually executing it. And this is the desired behaviour because it shouldn't delete any network interfaces. This has been working for months.

However, right now it is failing because the --dry-run flag is no longer set. I'm really stumped as to why, because the pipeline hasn't been updated and it was working fine up until now.

We've also detected these differences between working vs failed sequences of commands:

** Working sequence: "DescribeVpcs" is presented
DescribeSubnets
DescribeVpcs
DescribeNetworkInterfaces
DeleteNetworkInterface (Client.DryRunOperation)

** Failed sequence: DescribeVpcs is missed
DescribeSubnets
DescribeNetworkInterfaces
DeleteNetworkInterface (Client.UnauthorizedOperation)

I've checked that my service role has all the above permissions.

Could someone point me to a possible cause for this? I'd really appreciate it. Thank you.

like image 399
Do Yeon Kim Avatar asked Oct 25 '25 05:10

Do Yeon Kim

1 Answers

And this is the desired behaviour because it shouldn't delete any network interfaces.

This is an incorrect assumption. If your Build project uses VPC Configuration, CodeBuild will create a network interface in your account and attach it to the Build container so that the build container can access VPC resources, e.g a Database. CodeBuild will delete this network interface once the build finishes. The requirement for "ec2:DeleteNetworkInterface" is clearly documented in CodeBuild documentation:

  • https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

I agree that the dry run behaviour may have changed but it does not change the fact that you need the 'DeleteNetworkInterface' permission everytime your project uses VPC Configuration.

like image 125
shariqmaws Avatar answered Oct 26 '25 17:10

shariqmaws
Sign in to Comment

Related questions

AWS CloudWatch GetMetricsData: "Sum" misses points on periods without values
unhandledRejection ReferenceError: Headers is not defined - Building Next.js 14 app with AWS codebuild
Key-value store as primary database

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!