Goal: upload the contents of a package to an S3 bucket.
The package is uploaded to Octopus Deploy.
AWS Account and permissions are configured to upload files. Tested using the AWS cli locally.
Using Octopus Cloud, default worker. The deploy logs show
The step failed: Activity Upload a package to an AWS S3 bucket on a Worker failed with error ‘The remote script failed with exit code 100’.
I did change the S3 bucket name to something that does not exist and the error message changed to access denied, as expected. So the connection to AWS is working.
I’m used to bash scripting where I can see the AWS cli command equivalent for the operation that failed.
How can I gather more information related to what action / AWS cli command equivalent is failing?
What permissions does the upload step need?
First few lines of the log are
Running the step as the AWS role test-octopus-frontend-deploy/octopus-frontend
July 29th 2022 11:20:08
Info
Glob pattern ‘**/*’ matched 92 files
July 29th 2022 11:20:08
Info
Attempting to upload C:\Octopus\Tentacle\Work\20220729172001-347-114\staging\agent.svg to bucket qa-maple-yuhufrontend-testing with key /agent.svg.
July 29th 2022 11:20:08
Error
Calamari.Aws.Exceptions.UnknownException: An unrecognized Forbidden error was thrown while uploading to bucket qa-maple-yuhufrontend-testing
July 29th 2022 11:20:08
Error
at Calamari.Aws.Deployment.Conventions.UploadAwsS3Convention.InstallAsync(RunningDeployment deployment) in C:\BuildAgent\work\e0cefbed4ad11812\source\Calamari.Aws\Deployment\Conventions\UploadAwsS3Convention.cs:line 147
July 29th 2022 11:20:08
Error
at Calamari.Aws.Deployment.Conventions.UploadAwsS3Convention.Install(RunningDeployment deployment) in C:\BuildAgent\work\e0cefbed4ad11812\source\Calamari.Aws\Deployment\Conventions\UploadAwsS3Convention.cs:line 105
Thanks for reaching out! I’m sorry to hear you are having trouble uploading files to an AWS S3 bucket via Octopus Deploy, but I’m happy to help take a look.
As a first step in troubleshooting, can you let me know what version of Octopus Deploy you are currently running?
Also, could you upload the raw task log for this failed task for review? Here is a secure link to upload this in case you don’t want to post it publicly on the forum. This should provide a little more detail around the specific error being thrown.
Lastly, I wanted to link our documentation on configuring this feature within Octopus using our built-in step template, which may help shed some light on the underlying issue here.
Locally, I can assume the same role Octopus Cloud is configured to assume and I can upload a file using
aws s3 cp --storage-class STANDARD --acl private agent.svg s3://qa-maple-yuhufrontend-testing/agent.svg
We made 4 releases for this project with different deploy process configurations. Documentation on Releases and Deployments mentions
Releases are snapshots of your deployment process and other associated assets (packages, scripts, variables) as they existed when the release was created.
Is there a way to see the deployment process configuration for historical releases to refresh my memory on which settings I tried?
Thanks for sending all this over, and also for providing the additional information about the troubleshooting you’ve tried so far.
In taking a look through everything I don’t see anything that sticks out as an issue, but I do have a few other things we can try to dive deeper on this problem.
As a first step, could you enable verbose variable output for this project, run a new deployment, and upload a fresh task log for review. This additional level of verbosity may shine some light on the underlying issue here. Feel free to upload the new log to the following secure link, as it may contain some sensitive information when printing out all of the variable information.
Along with this, could you also upload your process JSON for this particular deployment process for review? This will allow me to ensure that my process lines up with yours for testing purposes.
In regards to your last question on reviewing the previous states of the deployment process, you should be able to get a pretty good picture of this by reviewing your Octopus audit log, which contains a detailed history of any actions taken within your Octopus instance. Here is a screenshot of the filters you’d want to apply in order to get to this information (“Document modified” for event category and “Deployment Process” for document type) - you can also filter by specific projects within the left-hand menu if needed as well:
I updated the deploy process to use a different set of AWS credentials and a different S3 bucket so it is safer for us to try out ideas. I uploaded a file locally using the new credentials to verify it still works.
When updating the deploy process, I updated the AWS credentials but forgot to update the S3 bucket name. The deployment failed with the same error message that I saw the first time.
This suggests the AWS credentials / S3 bucket configuration is not right.
I then updated the S3 bucket so the assumed role can access it. The raw logs are uploaded to the secure link.
In doing some further testing on my side I was able to reproduce this same error by setting a bucket policy that prevents most actions against my S3 bucket:
I know you mentioned reviewing this document previously, but could you specifically focus on the bucket policy associated with this bucket to see if anything is set that would prevent this role from uploading objects? Hopefully this helps in getting to the bottom of this issue, but let me know what you find out in reviewing the specific permissions set on this bucket.
Thanks for clarifying your goal with this project, I definitely understand the desire to lock things down as much as possible. From what we’ve discussed this doesn’t sound like an issue with bucket policies but rather an issue with the user policy associated with the role you are using for this (apologies for the initial misunderstanding).
In doing some further testing on my side I was able to generate the following user policy that worked for this use case:
I built this policy using the following documentation from AWS. After associating this user policy with my role I was able to upload objects to S3 via Octopus Deploy both when my bucket existed already and when it did not.
Let me know what you find in comparing my example user policy to yours, but hopefully this helps sort out the underlying problem you’re running into.
Thanks for the update, I’m happy to hear you were able to get things working!
While I was waiting to hear back from you I also got our main documentation updated with this same information, so this should be a good reference for others going forward:
Sorry you ran into some initial trouble in using this particular step template, but thanks for working with me to get things sorted out.
