[英]CloudFormation route53:GetHostedZone User is not authorized to access this resource
I have an AWS CodeBuild project connected to a Github repo, and on every new commit it creates a new CloudFormation stack based on a predefined template.我有一个连接到 Github 存储库的 AWS CodeBuild 项目,并且在每次新提交时,它都会根据预定义的模板创建一个新的 CloudFormation 堆栈。 The full template can be found here .
完整的模板可以在这里找到。
The CodeBuild project has this as its build commands: CodeBuild 项目将其作为其构建命令:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 12
pre_build:
commands:
- NODE_ENV=development npm install
- npm run makeScriptsExecutable
build:
commands:
- stackName="stack-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- apiGatewayName="gateway-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- FUNCTION_NAME="lambda-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- S3_ASSETS_BUCKET="s3-$CODEBUILD_RESOLVED_SOURCE_VERSION"
- S3_ASSETS_BUCKET_URI="s3://$S3_ASSETS_BUCKET"
- DOMAIN_NAME="$CODEBUILD_RESOLVED_SOURCE_VERSION.guacchain.com"
- BASE_NAME="prod"
- echo "S3_ASSETS_BUCKET_URI value here:"
- echo $S3_ASSETS_BUCKET_URI
- TEMPLATE_URL=https://s3-external-1.amazonaws.com/cf-templates-1npj2t2ifo384-us-east-1/2020146JeV-stack2.yaml
- aws cloudformation create-stack --stack-name $stackName --template-url $TEMPLATE_URL --parameters ParameterKey=apiGatewayStageName,ParameterValue=$BASE_NAME ParameterKey=lambdaFunctionName,ParameterValue=$FUNCTION_NAME ParameterKey=s3BucketName,ParameterValue=$S3_ASSETS_BUCKET ParameterKey=domainName,ParameterValue=$DOMAIN_NAME ParameterKey=subdomain,ParameterValue=$CODEBUILD_RESOLVED_SOURCE_VERSION --capabilities CAPABILITY_IAM
- sleep 45
- sed -i "s/COMMIT_ID/$CODEBUILD_RESOLVED_SOURCE_VERSION/g" .babelrc
- NODE_ENV=production npm run start
- NODE_ENV=production npm run build
- NODE_ENV=production npm run build:server
- NODE_ENV=production npm run deploy
The current problem I'm running into is that ever since adding a resource of type AWS::Route53::RecordSet
, the stack creation fails due to: API: route53:GetHostedZone User: arn:aws:sts::XXXX:assumed-role/CodeBuildServiceRole/AWSCodeBuild-XXXX is not authorized to access this resource
.我遇到的当前问题是,自从添加
AWS::Route53::RecordSet
类型的资源后,堆栈创建失败,原因是: API: route53:GetHostedZone User: arn:aws:sts::XXXX:assumed-role/CodeBuildServiceRole/AWSCodeBuild-XXXX is not authorized to access this resource
。
That resource currently looks like this:该资源当前如下所示:
domainRecordSet:
Type: 'AWS::Route53::RecordSet'
Properties:
AliasTarget:
DNSName: !GetAtt domainNameResource.DistributionDomainName
HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
Type: A
HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
Name: !Sub '${subdomain}.guacchain.com'
The subdomain
variable is given to the stack as a parameter. subdomain
变量作为参数提供给堆栈。 The referenced domainNameResource
does successfully get created before the stack creation fails:引用的
domainNameResource
确实在堆栈创建失败之前成功创建:
Also, the CodeBuildServiceRole
is applied to the CodeBuild project.此外,
CodeBuildServiceRole
应用于 CodeBuild 项目。 I thought that giving it the AdministratorAccess
, AmazonRoute53FullAccess
, and AWSCloudFormationFullAccess
policies would be enough, but apparently not!我认为给它
AdministratorAccess
、 AmazonRoute53FullAccess
和AWSCloudFormationFullAccess
策略就足够了,但显然不是!
On the IAM Permissions tab it shows Permissions boundary (not set)
.在 IAM 权限选项卡上,它显示
Permissions boundary (not set)
。
On Trusted Relationships tab is has only one row in the "Trusted entities" list: The identity provider(s) codebuild.amazonaws.com
.在“受信任的关系”选项卡上,“受信任的实体”列表中只有一行:
The identity provider(s) codebuild.amazonaws.com
。 Also shows "There are no conditions associated with this role."还显示“没有与此角色相关的条件”。
What must be done to this IAM role, the Codebuild project, or the CloudFormation stack (or some combination of those) in order to get the Route53 RecordSet resource successfully created?为了成功创建 Route53 RecordSet 资源,必须对此 IAM 角色、Codebuild 项目或 CloudFormation 堆栈(或它们的某种组合)执行什么操作?
Based on the comments, the issue was the incorrect assignment to the second HostedZoneId
:根据评论,问题是对第二个
HostedZoneId
的错误分配:
HostedZoneId: !GetAtt domainNameResource.DistributionHostedZoneId
It should be the id of hosted zone that the OP controls , not the hosted zone of CloudFront distribution which is owned by AWS.它应该是OP 控制的托管区域的 id,而不是 AWS 拥有的 CloudFront 分发的托管区域。 This explains the error message - you are not authorized to modify AWS owned hosted zone.
这解释了错误消息 - 您无权修改 AWS 拥有的托管区域。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.