这最初是一个CodeStar项目,然后发展成为更大的项目。我们重用了Beanstalk应用程序来创建stage
和prod
环境,并保持最初创建的dev
环境不变。
我们更新了CodePipeline,以使用“ Elastic Beanstalk”作为提供者来部署到我们的新环境中。 (虽然CodeStar使用CloudFormation为其在Beanstalk应用程序中自动设置的环境设置了部署。)
由于错误而导致部署失败,该错误提到autoscaling:DescribeAutoScalingGroups
未经CodePipeline的IAM角色授权执行。
这是在CodePipeline中显示的全部错误消息:
权限不足
部署失败。
提供的角色没有足够的权限:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups(服务:AmazonAutoScaling;状态代码:403;错误代码:拒绝访问;请求ID:905ee6ef-d75d-4cf8-b5f3-e6b16a5f6477)
服务:AmazonAutoScaling,消息:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups
无法部署应用程序。
服务:AmazonAutoScaling,消息:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups
这里是CodePipeline角色的内容(又名CodeStarWorker-xxx-on-cod-ToolChain
:]]
这是关联的权限边界
(最初由CodeStar生成,并最终由我们更新以尝试使整个过程正常工作):{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ssm:GetParameters", "Resource": "*", "Condition": { "StringEquals": { "ssm:ResourceTag/awscodestar:projectArn": "arn:aws:codestar:yyy:xxx:project/xxx-on-cod" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:CreateBucket", "iam:PassRole", "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:s3:::aws-codestar-yyy-xxx/xxx-on-cod/ssh/*", "arn:aws:s3:::elasticbeanstalk-yyy-xxx/*", "arn:aws:s3:::elasticbeanstalk-yyy-xxx", "arn:aws:s3:::awscodestar-remote-access-yyy/*", "arn:aws:s3:::awscodestar-remote-access-signatures-yyy/*", "arn:aws:iam::xxx:role/CodeStarWorker-xxx-on-cod-CloudFormation", "arn:aws:secretsmanager:yyy:xxx:secret:xxx" ] }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": [ "s3:*", "codebuild:*", "ec2:Describe*", "ec2:*SecurityGroup*", "iam:PassRole" ], "Resource": [ "*" ] }, { "Sid": "VisualEditor14", "Effect": "Allow", "Action": [ "logs:*" ], "Resource": [ "arn:aws:logs:yyy:xxx:log-group:/aws/elasticbeanstalk/*" ] }, { "Sid": "VisualEditor6", "Effect": "Allow", "Action": [ "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:UpdateEnvironment" ], "Resource": [ "*" ] }, { "Sid": "VisualEditor5", "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:DescribeScalingActivities" ], "Resource": [ "arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "sns:Get*", "sns:Publish", "logs:DescribeLogGroups", "cloudtrail:StartLogging", "lambda:ListFunctions", "cloudtrail:CreateTrail", "sns:Subscribe", "xray:Put*", "logs:CreateLogGroup", "logs:PutLogEvents", "sns:List*" ], "Resource": "*" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "*", "Resource": [ "arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8", "arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8/*", "arn:aws:cloudformation:yyy:xxx:stack/awscodestar-xxx-on-cod-*", "arn:aws:codebuild:yyy:xxx:project/xxx-on-cod", "arn:aws:codecommit:yyy:xxx:xxx-on-codecommit", "arn:aws:codepipeline:yyy:xxx:xxx-on-cod-Pipeline", "arn:aws:elasticbeanstalk:yyy:xxx:*/xxx-on-cod*", "arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe", "arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe/*", "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q", "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q/*", "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz", "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz/*" ] } ] }
管道
如您所见,我们有两个CodeBuild,因为第一个是CodeStar设置的,而第二个是稍微修改输出伪像的文件,因此它的格式正确,可以直接上载到Beanstalk中。
[成功的部署是CodeStar的部署(使用CloudFormation Provider),下一个是失败的部署(使用Beanstalk Provider)。
buildspec.yml
)输出工件由CloudFormation部署使用:
version: 0.2 phases: install: runtime-versions: java: openjdk8 commands: # Upgrade AWS CLI to the latest version - pip install --upgrade awscli pre_build: commands: - cd $CODEBUILD_SRC_DIR - mvn clean compile test build: commands: - mvn war:exploded post_build: commands: - cp -r .ebextensions/ target/ROOT/ - aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml # Do not remove this statement. This command is required for AWS CodeStar projects. # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources. - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json artifacts: type: zip files: - target/ROOT/**/* - .ebextensions/**/* - 'template-export.yml' - 'template-configuration.json'
我们的代码构建(
buildspec-two.yml
)
(失败的)Beanstalk部署使用了输出工件:
# Everything up to that point is the very same as the code from above artifacts: type: zip base-directory: 'target/ROOT' files: - ./**/* - .ebextensions/**/*
结论
我不知道部署如何会失败,因为权限边界和基本IAM角色都提到了autoscaling:DescribeAutoScalingGroups
。
此外,对CodeStar环境的部署运行良好,但是,导致部署失败的特定环境来自精确的复制(就配置而言。)>
有什么想法吗?
(此外,初始的dev
环境与新创建的stage
环境一样,甚至都没有关联的AutoScalingGroup ...所以我不知道为什么部署甚至试图做到这一点。)
(并且我在S3中进行了研究,以确保所部署的两个工件都具有相同的结构。)
上下文这最初是一个CodeStar项目,然后发展成为更大的项目。我们重用了Beanstalk应用程序来创建舞台和产品环境,并保留了最初创建的dev ...
这是一个很难解决的问题,但是据我所见,存在两个潜在的问题。一种是“ DescribeAutoScalingGroups”操作不支持资源级权限,因此它必须是星号作为资源,而不是资源arn。您可以尝试删除以下内容:
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]