AWS Pipeline buildspec拒绝访问SecretManager,但已授权已部署的Beanstalk实例

问题描述 投票:0回答:1

我们将MyReadOnlySecretServer政策设置为:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        }
    ]
}

我们在Elastic Beanstalk上部署了SpringBoot应用程序,并已成功检索和使用了生产中的秘密。

但是,无论如何,当我们仍处于管道的构建阶段时,显然,我们的CodeStarWorker无法读取值。这是例外:

software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException:用户:arn:aws:sts :: SOME_ID:assumed-role / CodeStarWorker-blabla-ToolChain / AWSCodeBuild-some-long-id无权执行:secretsmanager:GetSecretValue on资源:arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON(服务:SecretsManager,状态码:400,请求ID:其他长ID)

[我们在部署时尝试访问机密时遇到了此异常,如异常所提到的,将MyReadOnlySecretServer策略添加到IAM角色CodeStarWorker-blabla-ToolChain中,并且解决了问题。

但是,现在我们尝试在mvn test中运行buildspec.yml,我们得到了同样的异常。

[为什么为什么我们的buildspec.yml被拒绝访问,尽管它们由与“源+构建+部署”阶段相同的代码管道运行?部署后,实例具有访问权限,但是在构建时没有权限。

这里是buildspec.yml

version: 0.2

phases:
  install:
    runtime-versions:
      java: openjdk8
    commands:
      # Upgrade AWS CLI to the latest version
      - pip install --upgrade awscli
  pre_build:
    commands:
      - cd $CODEBUILD_SRC_DIR
      - mvn clean compile test  # commenting this "test" makes it run properly
  build:
    commands:
      - mvn war:exploded
  post_build:
    commands:
      - cp -r .ebextensions/ target/ROOT/
      - aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
      # Do not remove this statement. This command is required for AWS CodeStar projects.
      # Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
      - sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
  type: zip
  files:
    - target/ROOT/**/*
    - .ebextensions/**/*
    - 'template-export.yml'
    - 'template-configuration.json'
amazon-web-services amazon-elastic-beanstalk amazon-iam aws-codepipeline aws-codebuild
1个回答
1
投票

在我看来,CodeBuild承担角色'CodeStarWorker-blabla-ToolChain',而角色本身没有'secretsmanager:GetSecretValue'权限。同样,从内存来看,CodeStarWorker角色具有一个权限边界,即使您已显式添加所需的权限,该权限边界也可能阻止访问。这里讨论了类似的问题:

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.