@Shaun_Marx I am getting the common ‘Unknown’ permission error from the S3 Upload step template on 2018.9.14. The reason is clear enough, it doesn’t seem to being assuming the specified role.
When I attach the permissions policy directly to the user it works, but when the permissions are attached to the role specified in the step you get a permissions error when uploading. It doesn’t seem to be assuming the role.
I have a AWS PowerShell step in the sample plan that uses the same AWS account and assumes the same role and writes to the same bucket in the same region, and it works correctly, using the permissions of the role.
And testing the user and assumed role from the command line works fine too.
The ‘S3 Upload’ step just doesn’t see to be assuming the specified role.
There is nothing in the raw log except that same 100 exit code and unknown Forbidden error
.
With the Policy attached to the Role specified in the S3 Upload step you get the error:
23:07:46 Verbose | Bucket some-great-bucket exists in region Asia Pacific (Sydney) (us-east-2). Skipping creation.
23:07:47 Info | Glob pattern '**/*' matched 51 files
23:07:47 Info | Attempting to upload C:\Octopus\Work\20190603230744-29651-472\staging\foo.txt to bucket some-great-bucket with key myprefix/foo.txt.
23:07:47 Error | Calamari.Aws.Exceptions.UnknownException: An unrecognised Forbidden error was thrown while uploading to bucket some-great-bucket
23:07:47 Error | at Calamari.Aws.Deployment.Conventions.UploadAwsS3Convention.Install(RunningDeployment deployment)
23:07:47 Error | at Calamari.Deployment.ConventionProcessor.RunInstallConventions()
23:07:47 Error | at Calamari.Deployment.ConventionProcessor.RunConventions()
23:07:47 Error | Running rollback conventions...
23:07:47 Error | An unrecognised Forbidden error was thrown while uploading to bucket some-great-bucket
But with the same step and the role added directly to the AWS account, it works fine, even those the step still has a specified role to assume.
22:35:59 Verbose | Bucket some-great-bucket exists in region Asia Pacific (Sydney) (us-east-2). Skipping creation.
22:36:00 Info | Glob pattern '**/*' matched 51 files
22:36:00 Info | Attempting to upload C:\Octopus\Work\20190603223557-29646-462\staging\foo.txt to bucket some-great-bucket with key myprefix/foo.txt.
22:36:00 Info | Saving object version id to variable "Octopus.Action[AWS - Deploy to S3].Output.Files[myprefix/foo.txt]"
There is nothing in the raw logs of the AWS Powershell step nor the S3 Upload step saying when and what role it has assumed. That would be useful to log! Is there a way to enable debug logging from the step so I can see it log when if it assumes the role.
I checked the release logs for all newer versions but didn’t see a fix for this problem, so I assume it is similarly doesn’t work in the latest release?