Codebuild 中的 Codepipeline S3 Bucket 访问被拒绝
Codepipeline S3 Bucket access denied in Codebuild
背景:
我正在使用包含 Github 源的源阶段和包含 Codebuild 项目的测试阶段来测试 Codepipeline。 Github 来源已通过 Codestar 连接进行身份验证。
问题:
当通过管道触发 Codebuild 项目时,该项目被拒绝访问关联的 Codepipeline S3 工件存储桶。这是来自构建的日志:
AccessDenied: Access Denied
status code: 403, request id: 123, host id: 1234
for primary source and source version arn:aws:s3:::my-bucket/foo/master/foo123
这是与问题相关的 Codebuild 服务角色策略的声明:
{
"Sid": "CodePipelineArtifactBucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListObjects",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
尝试次数:
1.
将上述策略中的资源属性从 arn:aws:s3:::my-bucket/* 更改为 arn:aws:s3:::my-bucket*。 (相同 Access Denied 错误)
2.
正在检查关联的工件存储桶的权限。目前,它设置为阻止所有 public 访问并且没有附加存储桶策略。存储桶的 ACL 设置为允许存储桶所有者(我)具有 read/write 访问权限。 (相同 Access Denied 错误)
3.
鉴于这是一个测试管道,我已尝试授予 Codebuild 服务角色和 Codepipeline 服务角色对所有资源的完全 S3 访问权限。 (相同 Access Denied 错误)
将 Codebuild 角色 ARN 添加到 CMK 策略 usage/grant 相关权限就可以了。我想我盲目地假设 Codebuild 服务角色将继承 Codepipeline 的角色,这将使 Codebuild 项目能够解密与 Codepipeline 工件存储桶关联的 CMK。这是我在CMK的策略中更改的相关声明:
{
"Sid": "GrantPermissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/codebuild-role",
"arn:aws:iam::111111111111:role/codepipeline-role"
]
},
"Action": [
"kms:RevokeGrant",
"kms:ListGrants",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "UsagePermissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/codebuild-role",
"arn:aws:iam::111111111111:role/codepipeline-role"
]
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
}
背景:
我正在使用包含 Github 源的源阶段和包含 Codebuild 项目的测试阶段来测试 Codepipeline。 Github 来源已通过 Codestar 连接进行身份验证。
问题:
当通过管道触发 Codebuild 项目时,该项目被拒绝访问关联的 Codepipeline S3 工件存储桶。这是来自构建的日志:
AccessDenied: Access Denied
status code: 403, request id: 123, host id: 1234
for primary source and source version arn:aws:s3:::my-bucket/foo/master/foo123
这是与问题相关的 Codebuild 服务角色策略的声明:
{
"Sid": "CodePipelineArtifactBucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListObjects",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
尝试次数:
1.
将上述策略中的资源属性从 arn:aws:s3:::my-bucket/* 更改为 arn:aws:s3:::my-bucket*。 (相同 Access Denied 错误)
2.
正在检查关联的工件存储桶的权限。目前,它设置为阻止所有 public 访问并且没有附加存储桶策略。存储桶的 ACL 设置为允许存储桶所有者(我)具有 read/write 访问权限。 (相同 Access Denied 错误)
3.
鉴于这是一个测试管道,我已尝试授予 Codebuild 服务角色和 Codepipeline 服务角色对所有资源的完全 S3 访问权限。 (相同 Access Denied 错误)
将 Codebuild 角色 ARN 添加到 CMK 策略 usage/grant 相关权限就可以了。我想我盲目地假设 Codebuild 服务角色将继承 Codepipeline 的角色,这将使 Codebuild 项目能够解密与 Codepipeline 工件存储桶关联的 CMK。这是我在CMK的策略中更改的相关声明:
{
"Sid": "GrantPermissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/codebuild-role",
"arn:aws:iam::111111111111:role/codepipeline-role"
]
},
"Action": [
"kms:RevokeGrant",
"kms:ListGrants",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "UsagePermissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/codebuild-role",
"arn:aws:iam::111111111111:role/codepipeline-role"
]
},
"Action": [
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": "*"
}