尽管已正确设置IAM,但仍无法将CodePipeline部署到Beanstalk中

问题描述 投票:1回答:1

上下文

这最初是一个CodeStar项目,然后发展成为更大的项目。我们重用了Beanstalk应用程序来创建stageprod环境,并保持最初创建的dev环境不变。

我们更新了CodePipeline,以使用“ Elastic Beanstalk”作为提供者来部署到我们的新环境中。 (虽然CodeStar使用CloudFormation为其在Beanstalk应用程序中自动设置的环境设置了部署。)

问题

由于错误而导致部署失败,该错误提到autoscaling:DescribeAutoScalingGroups未经CodePipeline的IAM角色授权执行。

这是在CodePipeline中显示的全部错误消息:

权限不足

部署失败。

提供的角色没有足够的权限:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups(服务:AmazonAutoScaling;状态代码:403;错误代码:拒绝访问;请求ID:905ee6ef-d75d-4cf8-b5f3-e6b16a5f6477)

服务:AmazonAutoScaling,消息:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups

无法部署应用程序。

服务:AmazonAutoScaling,消息:用户:arn:aws:sts :: xxx:假定角色/ CodeStarWorker-xxx-cod-ToolChain / yyy无权执行:autoscaling:DescribeAutoScalingGroups

IAM

这里是CodePipeline角色的内容(又名CodeStarWorker-xxx-on-cod-ToolChain:]]

enter image description here

这是关联的权限边界

(最初由CodeStar生成,并最终由我们更新以尝试使整个过程正常工作):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ssm:GetParameters",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/awscodestar:projectArn": "arn:aws:codestar:yyy:xxx:project/xxx-on-cod"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:CreateBucket",
                "iam:PassRole",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:s3:::aws-codestar-yyy-xxx/xxx-on-cod/ssh/*",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx/*",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx",
                "arn:aws:s3:::awscodestar-remote-access-yyy/*",
                "arn:aws:s3:::awscodestar-remote-access-signatures-yyy/*",
                "arn:aws:iam::xxx:role/CodeStarWorker-xxx-on-cod-CloudFormation",
                "arn:aws:secretsmanager:yyy:xxx:secret:xxx"
            ]
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "codebuild:*",
                "ec2:Describe*",
                "ec2:*SecurityGroup*",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor14",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "arn:aws:logs:yyy:xxx:log-group:/aws/elasticbeanstalk/*"
            ]
        },
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor5",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:SuspendProcesses",
                "autoscaling:ResumeProcesses",
                "autoscaling:DescribeScalingActivities"
            ],
            "Resource": [
                "arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "sns:Get*",
                "sns:Publish",
                "logs:DescribeLogGroups",
                "cloudtrail:StartLogging",
                "lambda:ListFunctions",
                "cloudtrail:CreateTrail",
                "sns:Subscribe",
                "xray:Put*",
                "logs:CreateLogGroup",
                "logs:PutLogEvents",
                "sns:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "*",
            "Resource": [
                "arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8",
                "arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8/*",
                "arn:aws:cloudformation:yyy:xxx:stack/awscodestar-xxx-on-cod-*",
                "arn:aws:codebuild:yyy:xxx:project/xxx-on-cod",
                "arn:aws:codecommit:yyy:xxx:xxx-on-codecommit",
                "arn:aws:codepipeline:yyy:xxx:xxx-on-cod-Pipeline",
                "arn:aws:elasticbeanstalk:yyy:xxx:*/xxx-on-cod*",
                "arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe",
                "arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe/*",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q/*",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz",
                "arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz/*"
            ]
        }
    ]
}

管道

enter image description here

如您所见,我们有两个CodeBuild,因为第一个是CodeStar设置的,而第二个是稍微修改输出伪像的文件,因此它的格式正确,可以直接上载到Beanstalk中。

[成功的部署是CodeStar的部署(使用CloudFormation Provider),下一个是失败的部署(使用Beanstalk Provider)。

CodeStar CodeBuild(buildspec.yml

输出工件由CloudFormation部署使用:

version: 0.2

phases:
  install:
    runtime-versions:
      java: openjdk8
    commands:
      # Upgrade AWS CLI to the latest version
      - pip install --upgrade awscli
  pre_build:
    commands:
      - cd $CODEBUILD_SRC_DIR
      - mvn clean compile test
  build:
    commands:
      - mvn war:exploded
  post_build:
    commands:
      - cp -r .ebextensions/ target/ROOT/
      - aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
      # Do not remove this statement. This command is required for AWS CodeStar projects.
      # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
      - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
  type: zip
  files:
    - target/ROOT/**/*
    - .ebextensions/**/*
    - 'template-export.yml'
    - 'template-configuration.json'

我们的代码构建(buildspec-two.yml

(失败的)Beanstalk部署使用了输出工件:

# Everything up to that point is the very same as the code from above

artifacts:
  type: zip
  base-directory: 'target/ROOT'
  files:
    - ./**/*
    - .ebextensions/**/*

结论

我不知道部署如何会失败,因为权限边界和基本IAM角色都提到了autoscaling:DescribeAutoScalingGroups

此外,对CodeStar环境的部署运行良好,但是,导致部署失败的特定环境来自精确的复制(就配置而言。)>

有什么想法吗?

(此外,初始的dev环境与新创建的stage环境一样,甚至都没有关联的AutoScalingGroup ...所以我不知道为什么部署甚至试图做到这一点。)

(并且我在S3中进行了研究,以确保所部署的两个工件都具有相同的结构。)

上下文这最初是一个CodeStar项目,然后发展成为更大的项目。我们重用了Beanstalk应用程序来创建舞台和产品环境,并保留了最初创建的dev ...

amazon-web-services amazon-elastic-beanstalk amazon-iam aws-codepipeline aws-codebuild
1个回答
1
投票

这是一个很难解决的问题,但是据我所见,存在两个潜在的问题。一种是“ DescribeAutoScalingGroups”操作不支持资源级权限,因此它必须是星号作为资源,而不是资源arn。您可以尝试删除以下内容:

"Resource": [
                "arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
            ]
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.