我在自定义VPC和专用子网中创建了CodeBuild项目。专用子网具有互联网访问权限,AWS控制台也确认互联网连接适用于此代码构建项目。在构建的“ Provisioning”阶段中,我不断收到VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation错误。我的服务角色策略中肯定缺少某些内容,但无法找出原因。
这里是CodeBuild项目(terraform):
resource "aws_codebuild_project" "frontend" {
name = "frontend"
build_timeout = "5"
service_role = "${aws_iam_role.frontend_build.arn}"
artifacts {
type = "S3"
location = "frontend.myapp.com"
namespace_type = "NONE"
packaging = "NONE"
path = "public"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}
logs_config {
cloudwatch_logs {
group_name = "build"
stream_name = "frontend-build"
}
}
source {
type = "GITHUB"
location = "https://github.com/MyOrg/my-repo.git"
git_clone_depth = 1
report_build_status = true
auth {
type = "OAUTH"
}
}
vpc_config {
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
security_group_ids = [aws_security_group.build.id]
}
}
这里是此CodeBuild项目的service_role:
resource "aws_iam_role" "frontend_build" {
name = "frontend-build"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
这是该职位的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxx-frontend-build-logs",
"arn:aws:s3:::xxx-frontend-build-logs/*"
]
}
]
}
这里是CodeBuild项目的安全组:
resource "aws_security_group" "build" {
name = "build"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "build_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.build.id
}
在我看来,CodeBuild服务角色无法在VPC中创建ENI。问题似乎出在CodeBuild角色策略中的这一行:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872" <================= Need full ARN here
}
}
},
而不是:
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
尝试...
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
详细信息在这里:[1]
参考:[1]使用基于身份的策略进行CodeBuild-允许CodeBuild访问创建VPC网络接口所需的AWS服务-https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface