我们将MyReadOnlySecretServer
政策设置为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
我们在Elastic Beanstalk上部署了SpringBoot应用程序,并已成功检索和使用了生产中的秘密。
但是,无论如何,当我们仍处于管道的构建阶段时,显然,我们的CodeStarWorker无法读取值。这是例外:
software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException:用户:arn:aws:sts :: SOME_ID:assumed-role / CodeStarWorker-blabla-ToolChain / AWSCodeBuild-some-long-id无权执行:secretsmanager:GetSecretValue on资源:arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON(服务:SecretsManager,状态码:400,请求ID:其他长ID)
[我们在部署时尝试访问机密时遇到了此异常,如异常所提到的,将MyReadOnlySecretServer
策略添加到IAM角色CodeStarWorker-blabla-ToolChain
中,并且解决了问题。
但是,现在我们尝试在mvn test
中运行buildspec.yml
,我们得到了同样的异常。
[为什么为什么我们的buildspec.yml
被拒绝访问,尽管它们由与“源+构建+部署”阶段相同的代码管道运行?部署后,实例具有访问权限,但是在构建时没有权限。
buildspec.yml
:version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test # commenting this "test" makes it run properly
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
在我看来,CodeBuild承担角色'CodeStarWorker-blabla-ToolChain',而角色本身没有'secretsmanager:GetSecretValue'权限。同样,从内存来看,CodeStarWorker角色具有一个权限边界,即使您已显式添加所需的权限,该权限边界也可能阻止访问。这里讨论了类似的问题: