CodeDeploy 的 IAM 问题
Posted
技术标签:
【中文标题】CodeDeploy 的 IAM 问题【英文标题】:IAM Issue with CodeDeploy 【发布时间】:2020-09-16 20:50:42 【问题描述】:我遇到了一个看似微不足道的任务,即让 CodeDeploy 将 Github 代码部署到蓝/绿部署中的 AutoScaling 组。
我有一个管道设置、一个部署组设置、AutoScaling 组、ELB 和 LAUCH CONFIGURATION,但是在进行实际部署时却失败了:
这是我在 codeDeploy-roles 中的角色
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
,
"Effect": "Allow",
"Action": "cloudwatch:PutMetricAlarm",
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition":
"StringEquals":
"iam:AWSServiceName": "autoscaling.amazonaws.com"
]
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "*"
]
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
]
是否有我没有考虑的需要附加到此角色的政策?
【问题讨论】:
您需要在角色中自动缩放组策略!您可以使用自己的策略,也可以使用 aws 托管策略! 在第一个策略中我使用 AutoScalingFullAccess 这是 AWS 托管策略!您可以将政策粘贴到问题中吗? 请在我的问题中扮演角色 该角色的信任策略是什么? 【参考方案1】:据我了解,我宁愿遵循步骤。
-
您需要创建一个CodeDeployServiceRole,并且您刚刚使用了内置策略。
创建一个 CodeDeploy 应用程序和部署组,并在那里分配您的 CodeDeployServiceRole。
在启动配置中,您不必担心 CodeDeploy,只需为您的实例配置文件配置实例操作所需的策略。
【讨论】:
以上是关于CodeDeploy 的 IAM 问题的主要内容,如果未能解决你的问题,请参考以下文章
如何设置AWS CodeDeploy和EC2 CodeDeploy安全环境
CodeDeploy 在克隆 AutoScalingGroup 时取消设置 LoadBalancer
AWS:帮助在 Codepipeline 中设置 CodeDeploy