AWS CodePipeline 角色无权在阶段的“操作”块中对角色执行 AssumeRole
Posted
技术标签:
【中文标题】AWS CodePipeline 角色无权在阶段的“操作”块中对角色执行 AssumeRole【英文标题】:AWS CodePipeline role is not authorized to perform AssumeRole on Role in "action" block of a stage 【发布时间】:2021-12-24 01:58:00 【问题描述】:我的 CodePipeline 中的“部署”阶段应该具有与 CodePipeline 不同的 IAM 角色(Arn:another_codepipeline_role_arn)(Arn:codepipeline_role_arn )。下面是我的 terraform 配置。
resource "aws_codepipeline" "codepipeline"
name = "test_pipeline"
role_arn = var.codepipeline_role_arn
artifact_store
location = aws_s3_bucket.codepipeline_bucket.bucket
type = "S3"
...
stage
name = "Deploy"
action
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "CloudFormation"
input_artifacts = ["build_output"]
version = "1"
configuration =
ActionMode = "CREATE_UPDATE"
Capabilities = "CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM"
OutputFileName = var.codepipeline_output_filename
StackName = "test-stack"
TemplatePath = "build_output::packaged.yaml"
role_arn = var.another_codepipeline_role_arn
但是在应用更改时,Terraform 会抛出此错误:
Error: Error creating CodePipeline: InvalidStructureException: arn:aws:iam::account_id:role/codepipeline_role is not authorized to perform AssumeRole on role arn:aws:iam::account_id:role/another_codepipeline_role
还需要注意的是,我已经在AssumeRole 政策文档的Service 部分指定了codepipeline.amazonaws.com(示例如下):
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"Service": [
"codepipeline.amazonaws.com"
]
,
"Action": "sts:AssumeRole"
]
任何帮助将不胜感激。提前致谢!
PS:下面附上codepipeline_role_arn和another_codepipeline_role_arn的角色:
codepipeline_role_arn:
"Statement": [
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition":
"StringEqualsIfExists":
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
,
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetRepository",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive",
"codepipeline:*"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplication",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"ecs:*"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"lambda:InvokeFunction",
"lambda:ListFunctions"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"opsworks:CreateDeployment",
"opsworks:DescribeApps",
"opsworks:DescribeCommands",
"opsworks:DescribeDeployments",
"opsworks:DescribeInstances",
"opsworks:DescribeStacks",
"opsworks:UpdateApp",
"opsworks:UpdateStack"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate"
],
"Resource": "*",
"Effect": "Allow"
,
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
"codebuild:BatchGetBuildBatches",
"codebuild:StartBuildBatch"
],
"Resource": "*",
"Effect": "Allow"
,
"Effect": "Allow",
"Action": [
"devicefarm:ListProjects",
"devicefarm:ListDevicePools",
"devicefarm:GetRun",
"devicefarm:GetUpload",
"devicefarm:CreateUpload",
"devicefarm:ScheduleRun"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:CreateProvisioningArtifact",
"servicecatalog:DescribeProvisioningArtifact",
"servicecatalog:DeleteProvisioningArtifact",
"servicecatalog:UpdateProduct"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"cloudformation:ValidateTemplate"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:DescribeStateMachine",
"states:StartExecution"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"appconfig:StartDeployment",
"appconfig:StopDeployment",
"appconfig:GetDeployment"
],
"Resource": "*"
],
"Version": "2012-10-17"
another_codepipeline_role_arn:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
,
"Action": [
"autoscaling:Describe*",
"cloudwatch:*",
"logs:*",
"sns:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole"
],
"Effect": "Allow",
"Resource": "*"
,
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition":
"StringLike":
"iam:AWSServiceName": "events.amazonaws.com"
,
"Action": [
"dynamodb:*",
"dax:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:GetMetricData",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"kms:DescribeKey",
"kms:ListAliases",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes",
"lambda:CreateFunction",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction",
"resource-groups:ListGroups",
"resource-groups:ListGroupResources",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:DeleteGroup",
"resource-groups:CreateGroup",
"tag:GetResources",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary"
],
"Effect": "Allow",
"Resource": "*"
,
"Action": "cloudwatch:GetInsightRuleReport",
"Effect": "Allow",
"Resource": "*"
,
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*",
"Condition":
"StringLike":
"iam:PassedToService": [
"application-autoscaling.amazonaws.com",
"application-autoscaling.amazonaws.com.cn",
"dax.amazonaws.com"
]
,
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition":
"StringEquals":
"iam:AWSServiceName": [
"replication.dynamodb.amazonaws.com",
"dax.amazonaws.com",
"dynamodb.application-autoscaling.amazonaws.com",
"contributorinsights.dynamodb.amazonaws.com",
"kinesisreplication.dynamodb.amazonaws.com"
]
,
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
,
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetSAMLProvider",
"kinesis:ListStreams",
"lambda:GetPolicy",
"lambda:ListFunctions",
"sns:GetSMSSandboxAccountStatus",
"sns:ListPlatformApplications",
"ses:ListIdentities",
"ses:GetIdentityVerificationAttributes",
"mobiletargeting:GetApps",
"acm:ListCertificates"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition":
"StringEquals":
"iam:AWSServiceName": [
"cognito-idp.amazonaws.com",
"email.cognito-idp.amazonaws.com"
]
,
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"*"
]
,
"Effect": "Allow",
"Action": "states:*",
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"kms:ListAliases",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"lambda:*",
"logs:DescribeLogGroups",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"xray:GetTraceSummaries",
"xray:BatchGetTraces"
],
"Resource": "*"
,
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition":
"StringEquals":
"iam:PassedToService": "lambda.amazonaws.com"
,
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
]
【问题讨论】:
您对codepipeline_role_arn 使用的角色和权限是什么?
各种服务的几乎完全访问权限
究竟是什么?
@Marcin,我已经更新了问题中的权限
我还注意到您的所有问题都有答案,但没有一个被接受。接受好的答案不仅是一种好习惯,而且可以减少重复的次数并增加您的问题得到实际回答的机会。
【参考方案1】:
您的codepipeline_role_arn 和another_codepipeline_role_arn 都不允许对您的管道执行sts:AssumeRole 操作。哪个偏离路线会导致您的错误是 AssumeRole 是不允许的。
您必须修改您的 codepipeline_role 和 添加 sts:AssumeRole 权限,以便管道可以承担您想要的角色。
【讨论】:
以上是关于AWS CodePipeline 角色无权在阶段的“操作”块中对角色执行 AssumeRole的主要内容,如果未能解决你的问题,请参考以下文章
AWS CodePipeline 错误:不允许跨账户传递角色
AWS:帮助在 Codepipeline 中设置 CodeDeploy
由于权限错误,无法在 AWS CodePipeline 中完成部署阶段