提供的角色没有足够的权限来访问CodeDeploy

问题描述 投票:0回答:1

我正在实施CodePipeline;使用GitHub,CodeBuild和Amazon ECS(蓝色/绿色)。我使用的角色是管道生成的角色:ecsTaskExecutionRole

生成时,具有以下策略AmazonECSTaskExecutionRolePolicy(包含以下操作):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*"
    }
]}

以及以下信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codebuild.amazonaws.com",
          "ecs-tasks.amazonaws.com",
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

鉴于该角色是自动生成的,因此可以假定它具有所有必需的权限(使管道正常运行),或者AWS会提供有关分配哪些权限的指南(分配给策略或信任关系)配置)。

尽管,将信任关系更新为包括:

"Service": [
      "codebuild.amazonaws.com",
      "ecs-tasks.amazonaws.com",
      "ec2.amazonaws.com",
      "codedeploy.amazonaws.com",
      "codepipeline.amazonaws.com",
      "s3.amazonaws.com"
    ]

我仍然收到错误:enter image description here

[我已经在过去1-2年的多个博客/论坛中看到了这个问题;令人难以置信的是,这仍然没有作为AWS教程(或相关博客)的一部分正确记录。

amazon-iam amazon-ecs aws-code-deploy aws-codepipeline
1个回答
0
投票

“提供的角色没有足够的权限来访问CodeDeploy”

此错误表明CodePipeline角色缺少与“ codedeploy:”相关的权限。

您能否添加

codedeploy:*

角色,然后重试。

如果您不想添加所有CodeDeploy权限,则需要调查Cloudtrail中的“ AccessDenied”调用,并仅允许这些调用。通常这些是必需的:

{
      "Action": [
        "codedeploy:CreateDeployment",
        "codedeploy:GetApplicationRevision",
        "codedeploy:GetApplication",
        "codedeploy:GetDeployment",
        "codedeploy:GetDeploymentConfig",
        "codedeploy:RegisterApplicationRevision"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },

此处记录了默认的“ CodePipeline服务角色策略”:

[[1]管理CodePipeline服务角色-查看默认的CodePipeline服务角色策略-https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.