4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS

t in AWS CodeBuil…

Receive "Not authorized to perform DescribeSecurityGroups" when

creating new Project in AWS CodeBuild
Asked
3 years, 5 months ago Modified
2 years ago Viewed
8k times

I am trying to create a new project in AWS CodeBuild. Every time I attempt to I receive the
following error:
12
Not authorized to perform DescribeSecurityGroups

Any help would be greatly appreciated.

3
amazon-web-services aws-codebuild

Share Follow asked Oct 16, 2018 at 20:18

Jackson
5,551 4 30 41

Sorted by:
3 Answers
Highest score (default)

You are likely missing the VPC related permissions in your service role. You need to update the
role to have the following policy:
13
https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-
based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

"Version": "2012-10-17",

"Statement": [

"Effect": "Allow",

"Action": [

"ec2:CreateNetworkInterface",

"ec2:DescribeDhcpOptions",

"ec2:DescribeNetworkInterfaces",

"ec2:DeleteNetworkInterface",

"ec2:DescribeSubnets",

"ec2:DescribeSecurityGroups",

"ec2:DescribeVpcs"

],

"Resource": "*"

},

Join Stack Overflow"Effect":

to find the"Allow",

best answer to your technical question, help others

"Action": [
Sign up
answer theirs.
"ec2:CreateNetworkInterfacePermission"

https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 1/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…
],

"Resource": "arn:aws:ec2:{{region}}:{{account-id}}:network-interface/*",

"Condition": {

"StringEquals": {

"ec2:Subnet": [

"arn:aws:ec2:{{region}}:{{account-id}}:subnet/[[subnets]]"
],

"ec2:AuthorizedService": "codebuild.amazonaws.com"

Share Follow edited Apr 5, 2019 at 12:31 answered Oct 19, 2018 at 5:46
JamesFrost Subin Mathew
687 11 20 2,055 1 13 23

It means that associated IAM Role doesn't have attached policy allowing CodeBuild to
describe Security Groups.
7
If you trying to create a new Build project and have selected "New Service Role" (Create a service
role in your account), and in the same time added VPC, Subnets and Security Groups in Additional
Configuration section - you will get "Not authorized to perform DescribeSecurityGroups" error.

For some reason AWS auto-created policy looks like:

"Version": "2012-10-17",

"Statement": [

"Sid": "",

"Effect": "Allow",

"Action": [

"ssm:GetParameters",

"logs:PutLogEvents",

"logs:CreateLogStream",

"logs:CreateLogGroup",

"ecr:UploadLayerPart",

"ecr:PutImage",

"ecr:InitiateLayerUpload",

"ecr:GetAuthorizationToken",

"ecr:CompleteLayerUpload",

"ecr:BatchCheckLayerAvailability"

],

"Resource": "*"

It's not allowing anything VPC/EC2 related, so you can either pre-create correct policy and use it,
or let AWS create project without VPC, and modify new policy by adding required services in
Join Stack Overflow to find the best answer to your technical question, help others
Sign up
answer"Action"
theirs. block:

https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 2/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…

"Action": [

"ssm:GetParameters",

"logs:PutLogEvents",

"logs:CreateLogStream",

"logs:CreateLogGroup",

"ecr:UploadLayerPart",

"ecr:PutImage",

"ecr:InitiateLayerUpload",

"ecr:GetAuthorizationToken",

"ecr:CompleteLayerUpload",

"ecr:BatchCheckLayerAvailability",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets"

],

Share Follow answered Oct 17, 2018 at 10:31

Igor K.
777 4 7

I had this same issue when using cloudformation. The issue was the IAM role was being created
before CodeBuild started creation, but the Policy attached the IAM role was being created after
3 CodeBuild was created.

The remedy for this was to add a DependsOn to CodeBuild saying it needs the Policy to be created
first.

Ex:

CodeBuildIamRole:

Type: 'AWS::IAM::Role'

Properties:

RoleName: 'CodeBuildAutomatedTestingRole'

AssumeRolePolicyDocument:

Statement:

- Action: 'sts:AssumeRole'

Effect: Allow

Principal:

Service: codebuild.amazonaws.com

Path: /

CodeBuildIamPolicy:

Type: 'AWS::IAM::Policy'

Properties:

PolicyName: !Sub 'CodeBuildServiceRolePolicy-${AWS::StackName}'

PolicyDocument:

Statement:

- Action:

- 's3:PutObject'

- 's3:GetObject'

- 's3:GetObjectVersion'

- 's3:ListBucket'

Effect: Allow

Join Stack OverflowResource:

to find the'*'

best answer to your technical question, help others

- Action:
Sign up
answer theirs. - 'logs:CreateLogGroup'

https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 3/4
4/13/22, 1:14 AM amazon web services - Receive "Not authorized to perform DescribeSecurityGroups" when creating new Project in AWS CodeBuil…
- 'logs:CreateLogStream'

- 'logs:PutLogEvents'

- 'ec2:CreateNetworkInterface'

- 'ec2:DescribeDhcpOptions'

- 'ec2:DescribeNetworkInterfaces'

- 'ec2:DeleteNetworkInterface'

- 'ec2:DescribeSubnets'

- 'ec2:DescribeSecurityGroups'

- 'ec2:DescribeVpcs'

- 'ec2:CreateNetworkInterfacePermission'

- 'ecr:*'

Hopefully this is helpful

Share Follow answered Mar 20, 2020 at 14:57

Lucas A
user 45 6

Join Stack Overflow to find the best answer to your technical question, help others
Sign up
answer theirs.

https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro 4/4