Drone builds failed with 403 access denied

I trigger the build process by pushing code to specific branch, and it failed at the clone step with 403 access denied, could anyone tell me what’s going on?

It’s hard to know what the problem here is without more info.

Which git provider are you using?

If I were to guess, a 403 suggests that the git details you set up drone with doesn’t have the all right permissions or the user you have logged in with doesn’t have all the right permissions

Sorry for the lack of info, I’m running drone with Github provider, I set up an oauth app in the github org, and my github account is the owner of that github org, so it’s confusing that the 403 error occurred.

Besides, I’m working with private Github repositories.
Is there anything missing?

can you provide the env variables you set up drone with? and the drone yaml?

feel free to obfuscate anything secret

docker-compose.yaml

version: '3.9'
networks:
  drone-net:
    name: drone-net
    driver: bridge
services:
  db:
    image: postgres:15.1-bullseye
    container_name: drone-db
    restart: always
    networks:
      - drone-net 
    ports:
      - '5432:5432'
    environment:
      - POSTGRES_USER=drone 
      - POSTGRES_PASSWORD=drone
      - POSTGRES_DB=drone 
    volumes:
      - /data/drone/postgres:/var/lib/postgresql/data
    healthcheck:
        test: ["CMD-SHELL", "pg_isready -U drone"]
        interval: 5s
        timeout: 5s
        retries: 5
  server:
    image: drone/drone:latest
    container_name: drone-server
    restart: always
    networks:
      - drone-net 
    ports:
      - '80:80'
    environment:
      - DRONE_LOGS_DEBUG=true
      - DRONE_LOGS_TRACE=true
      - DRONE_GITHUB_CLIENT_ID=xxx
      - DRONE_GITHUB_CLIENT_SECRET=xxx
      - DRONE_SERVER_HOST=drone.domain.com 
      - DRONE_SERVER_PROTO=https 
      - DRONE_RPC_SECRET=xxx
      - DRONE_USER_FILTER=aaa,bbb,ccc
      - DRONE_USER_CREATE=username:xxx,admin:true
      - DRONE_DATABASE_DRIVER=postgres
      - DRONE_DATABASE_DATASOURCE=postgres://drone:[email protected]/drone?sslmode=disable
      - AWS_ACCESS_KEY_ID=xxx
      - AWS_SECRET_ACCESS_KEY=xxx
      - AWS_DEFAULT_REGION=us-east-1
      - AWS_REGION=us-east-1
      - DRONE_S3_BUCKET=xxx
    volumes:
      - /var/lib/drone:/data
      - /var/run/docker.sock:/var/run/docker.sock
    depends_on:
      - db
  runner:
    image: drone/drone-runner-docker:latest
    container_name: drone-runner
    restart: always
    networks:
      - drone-net
    ports:
      - '3000:3000'
    environment:
      - DRONE_LOGS_DEBUG=true
      - DRONE_LOGS_TRACE=true
      - DRONE_RPC_DUMP_HTTP=true
      - DRONE_RPC_DUMP_HTTP_BODY=true
      - DRONE_RUNNER_NAME=docker-runner
      - DRONE_RUNNER_CAPACITY=10
      - DRONE_RPC_PROTO=https
      - DRONE_RPC_HOST=drone.domain.com
      - DRONE_RPC_SECRET=xxx
      - DRONE_UI_USERNAME=aaa
      - DRONE_UI_PASSWORD=bbb
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    depends_on:
      - server

I just replied to you with my yaml info, but Akismet hid my reply…

hmm I will reach out to the team that manage this discourse to figure out what is going on

in the meantime it may be best to join our community slack and I can have a look - Slack

Hey @panjf2000 - I will respond here so it is easier to archive this answer

that error doesn’t actually look like a github 403 - it looks like an AWS 403

based on the env vars you shared in slack it looks like you are uploading logs to s3 - I think there is an error with your creds and the error is bubbling up in the wrong place.

Hope this helps :slight_smile:

Thanks a lot, Dan.
This response could really be a life saving, I’ve been fighting with Github Oauth for a couple of days and got no clue about it, I’ve remove the S3 configurations and the error went away.

2 Likes

Glad I could help! :slight_smile:

Hi Dan,
Sorry to bother you again, but I want to resolve the 403 issue of AWS S3, I’ve re-check the access key of S3 over and over again, I think the permissions are sufficient for drone, but still, drone kept report 403 access denied, so could you please tell me how I need to generate AWS S3 access key to suit drone.

Hi @panjf2000 the error coming back is directly from the AWS API saying that they are denying access - it is unlikely a drone side issue

besides the access key and secret - is the region and bucket info correct?

have you tried these keys outside of drone - perhaps an AWS API - if they don’t work outside drone that would be the problem