AWS 部署因权限不足而失败:提供的角色没有 Elasticbeanstalk:UpdateEnvironment 权限
AWS deployment fails with Insufficient permission: The provided role does not have the Elasticbeanstalk:UpdateEnvironment permission
所以,我是 AWS 的新手,并且有一个使用 AWS CodeStar 构建的简单管道。来源 -> 应用程序 -> 测试版。我正在尝试部署到 Beta 站点,我得到了 this failure。
我尝试按照 http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html 上的说明进行操作,但 运行 遇到以下问题:第 3 步说“选择 AWS 服务角色类型,然后选择您要允许的服务承担这个角色。但这不是我所看到的。我没有看到选择 CodePipeline 的功能,我假设它是需要访问 Elastic Beanstalk 的服务。
我想我可能误解了他们正在谈论的服务并尝试了另一种方式,即选择 Elastic Beanstalk,但这也与说明有所不同。
我试过这个页面:http://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy,但无法弄清楚他们是如何创建默认的 AWS CodePipeline 服务角色策略的
*************** 更新 *********************
Here is a screenshot of the whole pipeline
这是 AWSCodeStarServiceRole 策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProjectEventRules",
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:RemoveTargets",
"events:PutRule",
"events:DeleteRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:*:*:rule/awscodestar-*"
]
},
{
"Sid": "ProjectStack",
"Effect": "Allow",
"Action": [
"cloudformation:*Stack*",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/awscodestar-*",
"arn:aws:cloudformation:*:*:stack/awseb-*",
"arn:aws:cloudformation:*:*:stack/aws-cloud9-*",
"arn:aws:cloudformation:*:aws:transform/CodeStar*"
]
},
{
"Sid": "ProjectStackTemplate",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeChangeSet"
],
"Resource": "*"
},
{
"Sid": "ProjectQuickstarts",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awscodestar-*/*"
]
},
{
"Sid": "ProjectS3Buckets",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::aws-codestar-*",
"arn:aws:s3:::aws-codestar-*/*",
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "ProjectServices",
"Effect": "Allow",
"Action": [
"codestar:*Project",
"codestar:*Resource*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:AssociateTeamMember",
"codecommit:*",
"codepipeline:*",
"codedeploy:*",
"codebuild:*",
"ec2:RunInstances",
"autoscaling:*",
"cloudwatch:Put*",
"ec2:*",
"elasticbeanstalk:*",
"elasticloadbalancing:*",
"iam:ListRoles",
"logs:*",
"sns:*",
"cloud9:CreateEnvironmentEC2",
"cloud9:DeleteEnvironment",
"cloud9:DescribeEnvironment*",
"cloud9:ListEnvironments"
],
"Resource": "*"
},
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
{
"Sid": "ProjectTeamMembers",
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:DetachUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::*:policy/CodeStar_*"
]
}
}
},
{
"Sid": "ProjectRoles",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::*:policy/CodeStar_*"
]
},
{
"Sid": "InspectServiceRole",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/aws-codestar-service-role",
"arn:aws:iam::*:role/service-role/aws-codestar-service-role"
]
},
{
"Sid": "IAMLinkRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "cloud9.amazonaws.com"
}
}
}
]
}
此外,我无法更新角色的权限,因为 it says it is an Amazon created role and is read-only。
我猜这是我遗漏的一些简单的东西,嗯。我想念它!
提前致谢!
当您第一次进入 AWS CodeStar 控制台时,系统会提示您创建服务角色。您应该选择是。这将创建一个名为 "AWSCodeStarServiceRole".
的角色
此角色具有您需要的权限。
此 link 将引导您完成 AWS CodeStar 的设置:
在尝试了很多调整设置和权限的方法之后。我尝试创建一个重复的管道,一切都在新管道上运行,但在旧管道上不起作用。
所以,为了解决这个问题,我删除了保存在 CodeStar 中的管道,并创建了一个相同的新管道。然后,我删除了 CodeStar 中的持续部署磁贴,然后添加了一个新的持续部署磁贴,选择了我创建的新管道。
这解决了问题并且管道正常工作。
所以,我是 AWS 的新手,并且有一个使用 AWS CodeStar 构建的简单管道。来源 -> 应用程序 -> 测试版。我正在尝试部署到 Beta 站点,我得到了 this failure。
我尝试按照 http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html 上的说明进行操作,但 运行 遇到以下问题:第 3 步说“选择 AWS 服务角色类型,然后选择您要允许的服务承担这个角色。但这不是我所看到的。我没有看到选择 CodePipeline 的功能,我假设它是需要访问 Elastic Beanstalk 的服务。
我想我可能误解了他们正在谈论的服务并尝试了另一种方式,即选择 Elastic Beanstalk,但这也与说明有所不同。
我试过这个页面:http://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy,但无法弄清楚他们是如何创建默认的 AWS CodePipeline 服务角色策略的
*************** 更新 *********************
Here is a screenshot of the whole pipeline
这是 AWSCodeStarServiceRole 策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProjectEventRules",
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:RemoveTargets",
"events:PutRule",
"events:DeleteRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:*:*:rule/awscodestar-*"
]
},
{
"Sid": "ProjectStack",
"Effect": "Allow",
"Action": [
"cloudformation:*Stack*",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/awscodestar-*",
"arn:aws:cloudformation:*:*:stack/awseb-*",
"arn:aws:cloudformation:*:*:stack/aws-cloud9-*",
"arn:aws:cloudformation:*:aws:transform/CodeStar*"
]
},
{
"Sid": "ProjectStackTemplate",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeChangeSet"
],
"Resource": "*"
},
{
"Sid": "ProjectQuickstarts",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awscodestar-*/*"
]
},
{
"Sid": "ProjectS3Buckets",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::aws-codestar-*",
"arn:aws:s3:::aws-codestar-*/*",
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "ProjectServices",
"Effect": "Allow",
"Action": [
"codestar:*Project",
"codestar:*Resource*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:AssociateTeamMember",
"codecommit:*",
"codepipeline:*",
"codedeploy:*",
"codebuild:*",
"ec2:RunInstances",
"autoscaling:*",
"cloudwatch:Put*",
"ec2:*",
"elasticbeanstalk:*",
"elasticloadbalancing:*",
"iam:ListRoles",
"logs:*",
"sns:*",
"cloud9:CreateEnvironmentEC2",
"cloud9:DeleteEnvironment",
"cloud9:DescribeEnvironment*",
"cloud9:ListEnvironments"
],
"Resource": "*"
},
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
{
"Sid": "ProjectTeamMembers",
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:DetachUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::*:policy/CodeStar_*"
]
}
}
},
{
"Sid": "ProjectRoles",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::*:policy/CodeStar_*"
]
},
{
"Sid": "InspectServiceRole",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/aws-codestar-service-role",
"arn:aws:iam::*:role/service-role/aws-codestar-service-role"
]
},
{
"Sid": "IAMLinkRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "cloud9.amazonaws.com"
}
}
}
]
}
此外,我无法更新角色的权限,因为 it says it is an Amazon created role and is read-only。
我猜这是我遗漏的一些简单的东西,嗯。我想念它!
提前致谢!
当您第一次进入 AWS CodeStar 控制台时,系统会提示您创建服务角色。您应该选择是。这将创建一个名为 "AWSCodeStarServiceRole".
的角色此角色具有您需要的权限。
此 link 将引导您完成 AWS CodeStar 的设置:
在尝试了很多调整设置和权限的方法之后。我尝试创建一个重复的管道,一切都在新管道上运行,但在旧管道上不起作用。
所以,为了解决这个问题,我删除了保存在 CodeStar 中的管道,并创建了一个相同的新管道。然后,我删除了 CodeStar 中的持续部署磁贴,然后添加了一个新的持续部署磁贴,选择了我创建的新管道。
这解决了问题并且管道正常工作。