Hello, I'm having a bear of a time getting my pulumi Codebuild stack to deploy to my Elastic Beanstalk instance once code goes through the pipeline. I'm getting a vague: Service:AmazonCloudFormation, Message:S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html error in Elastic Beanstalk when the Code Build deployment happens. Below is pertinent security policies from my code and I've attached my two stack files and the Elastic Beanstalk error event. I cannot see what resource it's failing to pull, but it must be the artifact bucket unless I'm missing something. Thanks in advanced for any assistance. I have given the codebuild pipline role the following permissions:

new aws.iam.RolePolicy("buildRoleMinimal", {
    role: buildRole.id,
    policy: pulumi.all([artifactBucket.arn]).apply(([artifactArn]) => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            // Logs
            {
                Effect: "Allow",
                Action: [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogGroups",
                    "logs:DescribeLogStreams",
                    "logs:GetLogEvents",
                ],
                Resource: "*",
            },
            // VPC ENI + required Describe permissions (expanded)
            {
                Effect: "Allow",
                Action: [
                    "ec2:CreateNetworkInterface",
                    "ec2:CreateNetworkInterfacePermission",
                    "ec2:DeleteNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeDhcpOptions",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeInternetGateways",
                    "ec2:DescribeNatGateways"
                ],
                Resource: "*",
            },
            // Optional: read params during build
            {
                Effect: "Allow",
                Action: [
                    "ssm:GetParameter",
                    "ssm:GetParameters",
                    "ssm:GetParametersByPath",
                ],
                Resource: "*",
            },
            // S3 access to the CodePipeline artifact bucket (source in, output out)
            {
                Effect: "Allow",
                Action: [
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:ListBucket",
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:PutObjectTagging",
                    "s3:AbortMultipartUpload",
                    "s3:ListBucketMultipartUploads",
                    "s3:ListMultipartUploadParts",
                ],
                Resource: [
                    artifactArn,
                    `${artifactArn}/*`,
                ],
            },
            {
                Effect: "Allow",
                Action: [
                    "codebuild:CreateReport",
                    "codebuild:CreateReportGroup",
                    "codebuild:UpdateReportGroup",
                    "codebuild:DeleteReportGroup",
                    "codebuild:UpdateReport",
                    "codebuild:GetReport",
                    "codebuild:GetReportGroup",
                    "codebuild:GetReportGroup",
                    "codebuild:BatchGetReportGroups",
                    "codebuild:ListReportGroups"
                ],
                Resource: "*"
            }
        ],
    })),
});

elasatic beanstalk has the following artifact bucket policy:

new aws.s3.BucketPolicy("artifactBucketPolicy", {
    bucket: artifactBucket.id,
    policy: pulumi.all([ebServiceRole.arn, ebRole.arn, artifactBucket.bucket]).apply(([ebServiceRoleArn, ebRoleArn, bucketName]) => {
        return JSON.stringify({
            Version: "2012-10-17",
            Statement: [
                {
                    Effect: "Allow",
                    Principal: {
                        AWS: [ebServiceRoleArn, ebRoleArn]
                    },
                    Action: [
                        "s3:ListBucket",
                        "s3:GetBucketLocation",
                        "s3:GetBucketAcl"
                    ],
                    Resource: `arn:aws:s3:::${bucketName}`
                },
                {
                    Effect: "Allow",
                    Principal: {
                        AWS: [ebServiceRoleArn, ebRoleArn]
                    },
                    Action: [
                        "s3:GetObject",
                        "s3:GetObjectVersion",
                        "s3:PutObjectTagging"
                    ],
                    Resource: `arn:aws:s3:::${bucketName}/*`
                }
            ]
        });
    })
});

That error message says that the CloudFormation service is trying to do something to or with a bucket and isn't being allowed to. None of your policies are for the CloudFormation service, so the error message makes sense -- you'll need to give CloudFormation the correct access. I presume that Elastic Beanstalk instances are built using CloudFormation? I've never used it.

I think Elastic Beanstalk uses Cloudformation, but it's sorta "magic" I really don't use EB much, but this is a legacy project that uses it

Maybe add another policy to the bucket policy that allows the AWS service principal CloudFormation access? See if the error goes away?