AWS CodeBuild GetAuthorizationToken 失败
AWS CodeBuild GetAuthorizationToken failed
我正在尝试构建我的测试项目,但每次都在 pre_build 中失败。我检查了错误日志,它说:
[Container] 2017/03/26 19:28:21 An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::074181202020:assumed-role/codebuild-Testing-project-service-role/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: *
我已尝试附加以下政策:
- IAMSelfManageServiceSpecificCredentials
- IAMFullAccess
- AmazonS3ReadOnlyAccess
- CodeBuildPolicy-Testing-project-1490555003058
- IAMReadOnlyAccess
- AWSCodeBuildAdminAccess
- IAMUserSSHKeys
- AWSCodeCommitFullAccess
- IAMFullAccess
- AmazonS3FullAccess
- AdministratorAccess
- AWSElasticBeanstalkFullAccess
- AWSCodePipelineFullAccess
- WSCodeBuildAdminAccess
但它仍然给我同样的错误
如有任何帮助,我们将不胜感激!谢谢!
您需要将权限添加到 ECR 存储库策略,而不是 CodeBuild 服务角色。此页面有回购政策的样本:
https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html
实际上 getAuthorizationToken 错误无法在 ECR 中解决(因为您甚至不会在那里看到 ecr:getAuthorizationToken)。
您需要转到 IAM 面板 => 角色 => CodeBuild 角色 => 授予策略 => AmazonEC2ContainerRegistryReadOnly
这使它能够获得令牌
这是我管理 ECR 的策略。然后,我将其附加到我想要允许访问的用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken"
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
]
}
]
}
当您配置 AWS Codebuild 时,它会创建服务角色并在其中附加默认策略以写入日志并将文件放入 S3 存储桶。为了让 CodeBuild 底层实例能够访问 ECR,您应该将策略附加到该服务角色。
您可以使用托管策略,例如:
AmazonEC2ContainerRegistryFullAccess
更多信息:
还注意到,AWS 将创建两个角色(Code Pipelines 角色和 Code Build 角色)。您需要将策略 AmazonEC2ContainerRegistryFullAccess 添加到代码构建角色。
codebuild 角色的名称将是:codebuild--service-role,
不要将上述策略添加到 AWSCodePipelineServiceRole--.
我正在尝试构建我的测试项目,但每次都在 pre_build 中失败。我检查了错误日志,它说:
[Container] 2017/03/26 19:28:21 An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::074181202020:assumed-role/codebuild-Testing-project-service-role/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: *
我已尝试附加以下政策:
- IAMSelfManageServiceSpecificCredentials
- IAMFullAccess
- AmazonS3ReadOnlyAccess
- CodeBuildPolicy-Testing-project-1490555003058
- IAMReadOnlyAccess
- AWSCodeBuildAdminAccess
- IAMUserSSHKeys
- AWSCodeCommitFullAccess
- IAMFullAccess
- AmazonS3FullAccess
- AdministratorAccess
- AWSElasticBeanstalkFullAccess
- AWSCodePipelineFullAccess
- WSCodeBuildAdminAccess
但它仍然给我同样的错误
如有任何帮助,我们将不胜感激!谢谢!
您需要将权限添加到 ECR 存储库策略,而不是 CodeBuild 服务角色。此页面有回购政策的样本: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html
实际上 getAuthorizationToken 错误无法在 ECR 中解决(因为您甚至不会在那里看到 ecr:getAuthorizationToken)。
您需要转到 IAM 面板 => 角色 => CodeBuild 角色 => 授予策略 => AmazonEC2ContainerRegistryReadOnly
这使它能够获得令牌
这是我管理 ECR 的策略。然后,我将其附加到我想要允许访问的用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetAuthorizationToken"
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
]
}
]
}
当您配置 AWS Codebuild 时,它会创建服务角色并在其中附加默认策略以写入日志并将文件放入 S3 存储桶。为了让 CodeBuild 底层实例能够访问 ECR,您应该将策略附加到该服务角色。
您可以使用托管策略,例如:
AmazonEC2ContainerRegistryFullAccess
更多信息:
还注意到,AWS 将创建两个角色(Code Pipelines 角色和 Code Build 角色)。您需要将策略 AmazonEC2ContainerRegistryFullAccess 添加到代码构建角色。
codebuild 角色的名称将是:codebuild-