我正在实施CodePipeline;使用GitHub,CodeBuild和Amazon ECS(蓝色/绿色)。我使用的角色是管道生成的角色:ecsTaskExecutionRole
生成时,具有以下策略:AmazonECSTaskExecutionRolePolicy(包含以下操作):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]}
以及以下信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
]
},
"Action": "sts:AssumeRole"
}
]
}
鉴于该角色是自动生成的,因此可以假定它具有所有必需的权限(使管道正常运行),或者AWS会提供有关分配哪些权限的指南(分配给策略或信任关系)配置)。
尽管,将信任关系更新为包括:
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com",
"codedeploy.amazonaws.com",
"codepipeline.amazonaws.com",
"s3.amazonaws.com"
]
[我已经在过去1-2年的多个博客/论坛中看到了这个问题;令人难以置信的是,这仍然没有作为AWS教程(或相关博客)的一部分正确记录。
此错误表明CodePipeline角色缺少与“ codedeploy:”相关的权限。
您能否添加
codedeploy:*
角色,然后重试。
如果您不想添加所有CodeDeploy权限,则需要调查Cloudtrail中的“ AccessDenied”调用,并仅允许这些调用。通常这些是必需的:
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
此处记录了默认的“ CodePipeline服务角色策略”:
[[1]管理CodePipeline服务角色-查看默认的CodePipeline服务角色策略-https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy