Upload to S3 failed with the following error: Access Denied - CodeStarConnections
Upload to S3 failed with the following error: Access Denied - CodeStarConnections
我正在使用 AWS Codepipeline 构建一个 CI/CD 管道,存储库源在 bitbucket 上,我使用 AWS-Codestarconnections 在 bitbucket 存储库和管道之间创建连接。
管道详细信息如下:
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
PipelineServiceRole + 附加到它的策略是:
服务角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
源阶段失败并出现错误:
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
错误消息缺少详细信息,我不确定哪个服务正在尝试访问 s3,应该不是代码管道(在本例中具有 PutObject 权限)?
通过将 OutputArtifactFormat 从 "OutputArtifactFormat": "CODE_ZIP" 更改为 "OutputArtifactFormat": "CODEBUILD_CLONE_REF" 解决了这个问题。
CODEBUILD_CLONE_REF - 从控制台描述是一个完整的克隆,在这种情况下
AWS CodePipeline 传递有关存储库的元数据,允许后续操作执行完整 git 克隆。仅支持 AWS CodeBuild 操作。
“CODE_ZIP”选项不包括关于存储库
的git元数据
我在使用 GitHub 时遇到了同样的问题。
[GitHub] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: foo; S3 Extended Request ID: bar; Proxy: null)
但是在工件存储 S3 存储桶中,对象已更新。
所以我将 s3 服务策略更改为完全访问权限。
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
↓
"s3:*",
此问题似乎与最近针对 BitBucketSourceAction 的 CDK 默认 IAM 角色的更改有关。
我发现通过将“s3:PutObjectAcl”操作添加到列表中,我能够成功集成 BitBucketSourecAction(用于 GitHub 版本 2 连接)。注意:这不需要:
- 将 OutputArtifactFormat 从
"OutputArtifactFormat": "CODE_ZIP" 更改为 "OutputArtifactFormat": "CODEBUILD_CLONE_REF",或者,
- S3-完全访问“s3:*”
如 this CDK issue 中所述,我使用 BitBucketSourceAction 与 GitHub 存储库集成。当 CodePipeline 首次尝试 GitHub (Version2) 操作时,我收到以下错误:
[GitHub] Upload to S3 failed with the following error: Access Denied
在我使用 BitBucketSourceAction 发布的先前管道中,合成模板中包含“s3:PutObject*”通配符操作。在查看我最新的 cdk 部署(使用版本 1.91.0)期间生成的 IAM 角色时,BitBucketSourceAction 只有“s3:PutObject”操作(即没有通配符)。这不包括“s3:PutObjectAcl”操作,该操作似乎是将源存储库从 GitHub 上传到 S3 并释放它以便在管道中进一步使用所必需的。
今天确实遇到了这个问题,我想知道为什么这会解决它,但是 PipelineGithubRole 附带的策略有 2 个 s3 语句,一个只包含 List* 操作,另一个包含所有读取和放置操作,所以我只是将它们移动到一个语句中,它开始工作了。
将 s3:PutObjectAcl 操作权限添加到与 Pipeline Bucket Store 关联的角色策略对我有用。
我必须添加以下权限:
s3:GetObjects3:GetObjectVersions3:PutObjects3:GetBucketVersionings3:PutObjectAcl
我正在使用 AWS Codepipeline 构建一个 CI/CD 管道,存储库源在 bitbucket 上,我使用 AWS-Codestarconnections 在 bitbucket 存储库和管道之间创建连接。
管道详细信息如下:
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
PipelineServiceRole + 附加到它的策略是:
服务角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
源阶段失败并出现错误:
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
错误消息缺少详细信息,我不确定哪个服务正在尝试访问 s3,应该不是代码管道(在本例中具有 PutObject 权限)?
通过将 OutputArtifactFormat 从 "OutputArtifactFormat": "CODE_ZIP" 更改为 "OutputArtifactFormat": "CODEBUILD_CLONE_REF" 解决了这个问题。
CODEBUILD_CLONE_REF - 从控制台描述是一个完整的克隆,在这种情况下 AWS CodePipeline 传递有关存储库的元数据,允许后续操作执行完整 git 克隆。仅支持 AWS CodeBuild 操作。 “CODE_ZIP”选项不包括关于存储库
的git元数据我在使用 GitHub 时遇到了同样的问题。
[GitHub] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: foo; S3 Extended Request ID: bar; Proxy: null)
但是在工件存储 S3 存储桶中,对象已更新。
所以我将 s3 服务策略更改为完全访问权限。
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
↓
"s3:*",
此问题似乎与最近针对 BitBucketSourceAction 的 CDK 默认 IAM 角色的更改有关。
我发现通过将“s3:PutObjectAcl”操作添加到列表中,我能够成功集成 BitBucketSourecAction(用于 GitHub 版本 2 连接)。注意:这不需要:
- 将 OutputArtifactFormat 从
"OutputArtifactFormat": "CODE_ZIP"更改为"OutputArtifactFormat": "CODEBUILD_CLONE_REF",或者, - S3-完全访问“s3:*”
如 this CDK issue 中所述,我使用 BitBucketSourceAction 与 GitHub 存储库集成。当 CodePipeline 首次尝试 GitHub (Version2) 操作时,我收到以下错误:
[GitHub] Upload to S3 failed with the following error: Access Denied
在我使用 BitBucketSourceAction 发布的先前管道中,合成模板中包含“s3:PutObject*”通配符操作。在查看我最新的 cdk 部署(使用版本 1.91.0)期间生成的 IAM 角色时,BitBucketSourceAction 只有“s3:PutObject”操作(即没有通配符)。这不包括“s3:PutObjectAcl”操作,该操作似乎是将源存储库从 GitHub 上传到 S3 并释放它以便在管道中进一步使用所必需的。
今天确实遇到了这个问题,我想知道为什么这会解决它,但是 PipelineGithubRole 附带的策略有 2 个 s3 语句,一个只包含 List* 操作,另一个包含所有读取和放置操作,所以我只是将它们移动到一个语句中,它开始工作了。
将 s3:PutObjectAcl 操作权限添加到与 Pipeline Bucket Store 关联的角色策略对我有用。
我必须添加以下权限:
s3:GetObjects3:GetObjectVersions3:PutObjects3:GetBucketVersionings3:PutObjectAcl