无法执行 AWS Pipeline 错误:“调用 PutObject 操作时发生错误 (AccessDenied):拒绝访问”
[英]Unable to execute AWS Pipeline Error: “An error occurred (AccessDenied) when calling the PutObject operation: Access Denied”
问题描述
Have been trying to setup an AWS pipeline following the tutorial here: https://docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html
一直在尝试按照此处的教程设置 AWS 管道: https : //docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html
But the pipeline continously fails with below error logs:但是管道不断失败并显示以下错误日志:
Here are some of the actions, I tried already:以下是一些我已经尝试过的操作:
- Granted full access of S3 to "cfn-lambda-pipeline" role associated with Cloud Formation and Code Pipeline Service Role.授予 S3 对与 Cloud Formation 和代码管道服务角色关联的“cfn-lambda-pipeline”角色的完全访问权限。
- Allowed public ACL access to S3 bucket.允许公共 ACL 访问 S3 存储桶。
Below is my buildspec.yml下面是我的 buildspec.yml
version: 0.2
phases:
install:
runtime-versions:
nodejs: 12
build:
commands:
- npm install
- export BUCKET=xx-test
- aws cloudformation package --template-file template.yaml --s3-bucket $BUCKET --output-template-file outputtemplate.yml
artifacts:
type: zip
files:
- template.yml
- outputtemplate.yml
Below is my template.yaml下面是我的 template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
helloWorld
DZ Bank API Gateway connectivity helloWorld
Globals:
Function:
Timeout: 3
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./
Handler: app.lambdaHandler
Runtime: nodejs12.x
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: get
2 个解决方案
解决方案1
6 已采纳 2020-08-31 09:00:00
The error is actually related to CodeBuild not CodePipeline.该错误实际上与 CodeBuild 而非 CodePipeline 有关。 It seems like CodeBuild does not have valid permissions for its attached service role. CodeBuild 似乎对其附加的服务角色没有有效的权限。
From the console you can find the attached service role by performing the following:在控制台中,您可以通过执行以下操作找到附加的服务角色:
- Go to the CodeBuild console转到 CodeBuild 控制台
- Click "Build Projects" from the menu on the left hand side单击左侧菜单中的“构建项目”
- Click the radio button next to build project you're using, then on the top menu click "Edit" and select then "Edit Source" option.单击旁边的单选按钮构建您正在使用的项目,然后在顶部菜单上单击“编辑”并选择“编辑源”选项。
- At the bottom of the page will be a section titled "Service role permissions" with the Arn below it.页面底部将是一个标题为“服务角色权限”的部分,其下方是 Arn。
This IAM role will need to be granted the permissions it requires (in your case "s3:PutObject") if they are not already there.如果此 IAM 角色尚未存在,则需要为其授予所需的权限(在您的情况下为“s3:PutObject”)。
AWS provides a full policy in the Create a CodeBuild service role documentation. AWS 在创建 CodeBuild 服务角色文档中提供了完整策略。
解决方案2
1 2020-08-31 08:57:09
"cfn-lambda-pipeline" role associated with Cloud Formation and Code Pipeline Service Role.
The S3 permissions should be associated with CodeBuild (CB), because CB is going to run buildspec.yml . S3 权限应该与CodeBuild (CB) 相关联,因为 CB 将运行buildspec.yml 。 Thus CB needs to be able to access the S3.因此CB需要能够访问S3。
According to the tutorial linked in the Update the build stage role section, the AmazonS3FullAccess should be added to codebuild-lamba-pipeline-build-service-role role, not to cfn-lambda-pipeline nor CodePipeline's role.根据更新构建阶段角色部分中链接的教程, AmazonS3FullAccess应添加到codebuild-lamba-pipeline-build-service-role角色,而不是cfn-lambda-pipeline或 CodePipeline 的角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.