部署 CloudFormation 堆栈以创建 ElasticBeanstalk 应用程序时出现 InsufficientPrivilegesException

Posted

技术标签:

【中文标题】部署 CloudFormation 堆栈以创建 ElasticBeanstalk 应用程序时出现 InsufficientPrivilegesException【英文标题】:Getting InsufficientPrivilegesException when deploying CloudFormation stack to create an ElasticBeanstalk app 【发布时间】:2021-12-09 06:38:18 【问题描述】:

我编写了一个创建 ElasticBeanstalk 应用程序的 CloudFormation 模板。但是,当我执行模板时,我收到以下错误:Access Denied (Service: AWSElasticBeanstalk; Status Code: 403; Error Code: InsufficientPrivilegesException; Request ID: 6c580af3-250d-4658-bc2f-8f6af4c1dd6d; Proxy: null)

我需要添加什么权限?

我的 CloudFormation 脚本的相关部分:

# The role used by CloudFormation to create the stack
CFNRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: ["sts:AssumeRole"]
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com]
      Version: "2012-10-17"
    Path: /
    Policies:
      - PolicyName: CloudFormationRole
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - "ec2:*"
                - "elasticbeanstalk:*"
                - "iam:*"
                - "lambda:*"
                - "logs:*"
              Effect: Allow
              Resource: "*"

# more stuff here... 

# Create the EB app without an Environment for now
EBApp1:
  Type: AWS::ElasticBeanstalk::Application
  Properties:
    Description: my-api

【问题讨论】:

【参考方案1】:

原来我错过了 CFNRole 上的 S3 权限。我修改了以下权限,就可以部署栈了。

CFNRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: ["sts:AssumeRole"]
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com]
      Version: "2012-10-17"
    Path: /
    Policies:
      - PolicyName: CloudFormationRole
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - "ec2:*"
                - "elasticbeanstalk:*"
                - "iam:*"
                - "lambda:*"
                - "logs:*"
                - "s3:*" #### Added this line ####
              Effect: Allow
              Resource: "*"

【讨论】:

以上是关于部署 CloudFormation 堆栈以创建 ElasticBeanstalk 应用程序时出现 InsufficientPrivilegesException的主要内容,如果未能解决你的问题,请参考以下文章

如何使用 Cloudformation 强制重新部署我的 API 网关

如何通过 cloudformation 部署 opsworks 应用程序?

创建没有资源的 CloudFormation 堆栈

在已创建的资源上部署 lambda 函数

如何导出 SNS 主题以在 Cloudformation 中的不同堆栈中使用

通过 CloudFormation 堆栈部署初始化和填充无服务器 PostgreSQL RDS 实例的最佳实践