codedeploy 無法訪問 s3
[英]codedeploy unable to access s3
問題描述
我在帳戶 A上有一個代碼管道,在帳戶 B上有一個 codedeployment 組。 一旦 codedeployment 組啟動觸發器
The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.我就會看到以下錯誤The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies. The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.
我指的是 aws 提供的這篇文檔,用於使用 codepipeline 進行 aws 跨賬戶部署,除了文檔中提供的信息之外,我是否需要配置任何其他內容?
附加到 testcrs 角色的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
賬戶 A 的存儲桶策略
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::AccountAbucket"
},
{
"Sid": "Cross-account permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcrss"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
角色測試的信任關系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
1 個解決方案
解決方案1
1 已采納 2020-09-08 16:40:43
問題是添加到賬戶 B的 KMS 密鑰不正確,訪問賬戶 A上的 s3 存儲桶需要此密鑰。 KMS 密鑰應與附加到賬戶 A上的代碼管道的 KMS 密鑰相同
將jenkins構建修訂版上傳到s3,而無需觸發codedeploy
[英]upload jenkins build revision to s3 without triggering codedeploy
成功部署后從 S3 中刪除 AWS codeDeploy Revisions
[英]Delete AWS codeDeploy Revisions from S3 after successfull deployment
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.