Deployment failed: Error: Status: 403. Message: Node run failed with exit code 2 about beanstalk-deploy HOT 18 CLOSED

I also got 403 errors when I used $GITHUB_RUN_ID

I changed it to ${{ github.run_id }} and it worked correctly.

I noticed a similar problem when I was using a env var $AWS_REGION for the region key, and that also worked when I changed to use the context syntax: ${{ env.AWS_REGION }}.

from beanstalk-deploy.

@varl Ah ok I understand. Of course, it makes sense. Can't use $ENVVAR syntax in parameter values, since that's not bash, only in strings that are evaluated in the bash shell, e.g. anywhere in a - run: some comand that goes to bash $ENVVAR . In parameter values you must use ${{ env.VAR_NAME }}syntax.

Oh, and by the way, it is possible to just pass in a Dockerrun.aws.json file instead of a zip as well:

Good to know. People read these issues, so good to have this info here 🙂

from beanstalk-deploy.

I noticed the line https://github.com/einaregilsson/beanstalk-deploy/blob/master/aws-api-request.js#L10

secretKey = options.secretKey || awsApiRequest.secretKey || process.env.AWS_SECRET_SECRET_KEY

Is AWS_SECRET_SECRET_KEY a typo?

from beanstalk-deploy.

Thanks! That's definitely a typo, I've just fixed it and pushed a @v2 tag. However, that shouldn't have been an issue, because in https://github.com/einaregilsson/beanstalk-deploy/blob/master/beanstalk-deploy.js#L198

awsApiRequest.secretKey = process.env.INPUT_AWS_SECRET_KEY;

We set the secret key explicitly to the input secret key, so

secretKey = options.secretKey || awsApiRequest.secretKey || process.env.AWS_SECRET_SECRET_KEY

should have used that instead of the typo environment variable. Is there any chance you're putting an empty value in for the secret key in here:

 with:
    aws_access_key: ABC123
    aws_secret_key: XYZ789

You shouldn't have to put any environment variables like this in:

env:
    CI: true
    AWS_ACCESS_KEY_ID: ABC123
    AWS_SECRET_ACCESS_KEY: XYZ789

The aws_access_key and aws_secret_key from

 with:
    aws_access_key: ABC123
    aws_secret_key: XYZ789

should be enough.

from beanstalk-deploy.

So I originally tried using GitHub secrets, but that wasn't working

aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

So thought maybe those keys weren't getting loading, so tried hardcoding them instead.

with:
    aws_access_key: ABC123
    aws_secret_key: XYZ789

But that wasn't working either so added env values hoping if secretKey wasn't getting set properly if would fall back to the environment variables.

env:
    AWS_ACCESS_KEY_ID: ABC123
    AWS_SECRET_ACCESS_KEY: XYZ789

The keys are correct because it works fine from the command line. Any insight what could be wrong from the last log message?

Uploading file to bucket elasticbeanstalk-ca-central-1-302080953439
##[error]Deployment failed: Error: Status: 403. Message: 
##[error]Node run failed with exit code 2

Looks like it's failing on uploading to S3 bucket? Or is it possible to add additional log messages to help find where it's failing?

from beanstalk-deploy.

Note, I checked the S3 bucket and the latest uploaded version was the one from the command line, so it must be failing on uploading to S3 step in the GitHub Action.

from beanstalk-deploy.

Oh! I was using a timestamp like yyyy-MM-dd'T'HH:mm'Z' as the version number, when I changed it to just a number, the zip was successfully uploaded to S3!

So that must be the problem. Any suggestion on how to use a date as the version number?

from beanstalk-deploy.

The problem seems to be the semicolons. From the AWS docs:

I tried URI encoding the key name but was still getting errors. Your best bet is to just replace those : with underscores or dashes, that should be fine.

from beanstalk-deploy.

But also, if you need a build number generator, I can recommend another action I made which generates sequential build numbers: https://github.com/einaregilsson/build-number

from beanstalk-deploy.

Thanks again @einaregilsson! The : in the timestamp must have been the problem. I'm gonna try a timestamp with the format YYYY-MM-dd-HH-mm or YYYYMMddHHmm this morning. Hopefully that works because it would be more meaningful of a version number for us. I'll keep you posted 👍

from beanstalk-deploy.

So, it took jumping through lots of hoops, but I was able to generate a timestamp in a S3 safe format like 2019-11-15T17-51-47-861Z 👍

name: PROD Lint, Build, Deploy

on: 
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [10.x]

    steps:
    
    - uses: actions/checkout@v1
    - name: Use node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v1
      with:
        node-version: ${{ matrix.node-version }}
    
    - name: Run npm install, lint
      run: |
        npm ci
        npm install
    
    - name: Generate deployment package
      run: zip -r deploy.zip . -x ".git/*" -x ".github/*" -x ".vscode/*"
      
    - name: Get timestamp
      uses: gerred/actions/current-time@master
      id: current-time
    
    - name: Run string replace
      uses: frabert/replace-string-action@master
      id: format-time
      with:
        pattern: '[:\.]+'
        string: "${{ steps.current-time.outputs.time }}"
        replace-with: '-'
        flags: 'g'  
            
    - name: Run beanstalk-deploy
      uses: einaregilsson/beanstalk-deploy@v2
      with:
        aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        application_name: our-beanstalk-app
        environment_name: our-beanstalk-app-env
        region: ca-central-1
        version_label: "${{ steps.format-time.outputs.replaced }}"
        deployment_package: deploy.zip       

Thanks for your help on this. And for your GitHub Action! 🤗

from beanstalk-deploy.

Thanks for your help on this. And for your GitHub Action! 🤗

Thanks for the bug report! Happy that someone can use this.

from beanstalk-deploy.

Hi Guys! I've been stuck with this same 403 error for a few days and exactly as @dalezak, running from the command line works smoothly, but from the Github Action don't. I've been using administrator access for this test to maximize my success, to no avail.

      - name: Generate deployment Dockerrun.aws.json
        run: |
          make aws-docker-file
          cat Dockerrun.aws.json
          zip deploy.zip Dockerrun.aws.json

      - name: Deploy to EB
        uses: einaregilsson/beanstalk-deploy@v5
        with:
          aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          application_name: $APP_NAME
          environment_name: $ENV_NAME
          version_label: $GITHUB_RUN_ID
          region: ap-southeast-1
          deployment_package: deploy.zip

from beanstalk-deploy.

@MichaelRheault Looks normal, and nice to see that GitHub have added a GITHUB_RUN_ID variable! You're absolutely sure that all the env vars are set, that the zip file is in the right place etc? Maybe try hardcoding in all the values (except maybe the aws secrets) and see if that makes any difference? Github_run_id is a number, does S3 allow filenames that are just numbers? They probably do, just wondering because 403 is usually because some of the parameters are illegal.

from beanstalk-deploy.

@varl ah, interesting. What operating system and shell are you using for your deployment? I use linux and bash so the $ENVVAR syntax works for me, but makes sense that with a different shell or os it wouldn't work.

from beanstalk-deploy.

@MichaelRheault Could this above be your problem as well?

from beanstalk-deploy.

@einaregilsson We're using the Ubuntu image, mostly likely Bash.

This version works: https://github.com/dhis2/app-hub/blob/master/.github/workflows/docker-ci.yml#L143-L144

This version does not: https://github.com/dhis2/app-hub/blob/e33345ea9a9eec7e6e08b14a0292eeb2df4f9499/.github/workflows/docker-ci.yml#L143-L144

It might have been because of the single-quotes, I'm never sure if they are consumed when the YAML is unmarshalled or passed to Bash. Even so, the $AWS_REGION is unquoted, and that also was not expanded and used verbatim (as it in it tried to use literally "$AWS_REGION" as the region).

Very nice action all-in-all, thanks for writing and sharing it! Saved me some time. 👍

Oh, and by the way, it is possible to just pass in a Dockerrun.aws.json file instead of a zip as well: https://github.com/dhis2/app-hub/blob/master/.github/workflows/docker-ci.yml#L145 which is great if the images are pre-built and available on ECR or Docker Hub (as they are in my case).

(Sorry about the off-topic)

from beanstalk-deploy.

Closing this.

from beanstalk-deploy.