我正在尝试在AWS CodeBuild中创建一个新项目。每次我尝试收到以下错误:
Not authorized to perform DescribeSecurityGroups
任何帮助将不胜感激。
这意味着关联的IAM角色没有附加策略允许CodeBuild描述安全组。
如果您尝试创建新的Build项目并选择了“新服务角色”(在您的帐户中创建服务角色),同时在“其他配置”部分添加了VPC,子网和安全组 - 您将获得“未授权”执行DescribeSecurityGroups“错误。 出于某种原因,AWS自动创建的策略如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
}
]
}
它不允许任何与VPC / EC2相关的内容,因此您可以预先创建正确的策略并使用它,或者让AWS在没有VPC的情况下创建项目,并通过在“Action”块中添加所需的服务来修改新策略:
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets"
],
您可能缺少服务角色中与VPC相关的权限。您需要更新角色以具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{region}}:{{account-id}}:subnet/[[subnets]]"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
}
]
}