[英]Unable to execute AWS Pipeline Error: “An error occurred (AccessDenied) when calling the PutObject operation: Access Denied”
Have been trying to setup an AWS pipeline following the tutorial here: https://docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html一直在尝试按照此处的教程设置 AWS 管道: https : //docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html
But the pipeline continously fails with below error logs:但是管道不断失败并显示以下错误日志:
Here are some of the actions, I tried already:以下是一些我已经尝试过的操作:
Below is my buildspec.yml下面是我的 buildspec.yml
version: 0.2
phases:
install:
runtime-versions:
nodejs: 12
build:
commands:
- npm install
- export BUCKET=xx-test
- aws cloudformation package --template-file template.yaml --s3-bucket $BUCKET --output-template-file outputtemplate.yml
artifacts:
type: zip
files:
- template.yml
- outputtemplate.yml
Below is my template.yaml下面是我的 template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
helloWorld
DZ Bank API Gateway connectivity helloWorld
Globals:
Function:
Timeout: 3
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./
Handler: app.lambdaHandler
Runtime: nodejs12.x
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: get
The error is actually related to CodeBuild not CodePipeline.该错误实际上与 CodeBuild 而非 CodePipeline 有关。 It seems like CodeBuild does not have valid permissions for its attached service role.
CodeBuild 似乎对其附加的服务角色没有有效的权限。
From the console you can find the attached service role by performing the following:在控制台中,您可以通过执行以下操作找到附加的服务角色:
This IAM role will need to be granted the permissions it requires (in your case "s3:PutObject") if they are not already there.如果此 IAM 角色尚未存在,则需要为其授予所需的权限(在您的情况下为“s3:PutObject”)。
AWS provides a full policy in the Create a CodeBuild service role documentation. AWS 在创建 CodeBuild 服务角色文档中提供了完整策略。
"cfn-lambda-pipeline" role associated with Cloud Formation and Code Pipeline Service Role.
与 Cloud Formation 和代码管道服务角色关联的“cfn-lambda-pipeline”角色。
The S3 permissions should be associated with CodeBuild (CB), because CB is going to run buildspec.yml
. S3 权限应该与CodeBuild (CB) 相关联,因为 CB 将运行
buildspec.yml
。 Thus CB needs to be able to access the S3.因此CB需要能够访问S3。
According to the tutorial linked in the Update the build stage role section, the AmazonS3FullAccess
should be added to codebuild-lamba-pipeline-build-service-role
role, not to cfn-lambda-pipeline
nor CodePipeline's role.根据更新构建阶段角色部分中链接的教程,
AmazonS3FullAccess
应添加到codebuild-lamba-pipeline-build-service-role
角色,而不是cfn-lambda-pipeline
或 CodePipeline 的角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.