AWS CodeDeploy:服务角色无法承担提供的角色
AWS CodeDeploy: Service role Cannot assume role provided
我正在尝试使用我的 GitHub 设置 CodeDeploy,但我发现了一些问题。
我创建了 service role,正如文档中提到的 AWSCodeDeployRole 政策。
在我的代码部署应用程序创建过程中,我遇到了一个问题:
Cannot assume role provided.
正如我所见,我在 AWSCodeDeployRole 中的角色有很多自动缩放权限,但我不希望这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetTags",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": "*"
}
]
}
在一些谷歌搜索中,我发现 CodeDeploy 应用程序可能期望类似于以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
但是当我尝试手动创建此策略时,它也失败并出现错误:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
那么,Code Deploy Application 的预期服务角色是什么?
顺便说一句,代码部署是 运行 在我的 EC2 实例上。
好吧,根据@Michael 的评论,我发现 Trust relationships policy 与 Service role 的一些差异。
看起来默认 AWSCodeDeployRole 无法正确处理代码部署。
为了解决这个问题,我将 "Service": [
"ec2.amazonaws.com"] 替换为 "Service": [
"codedeploy.amazonaws.com"]
而且有效!
对于那些通过 Google 找到它的人 - 在我的 Cloud Formation 模板中,我错误地格式化了 ARN,并且错误不是描述性的:
需要以这种方式指定角色:
arn:aws:iam::1234567890:role/CodeDeployRole 注意 :role/ 而不是 :instance-profile/
错误就是上面说的不能承担角色,虽然是因为你指定错了
我一直在学习教程,但它没有提到您必须为服务角色编辑信任关系。在更改以下内容之前,我遇到了与上述相同的错误。
我变了
"Service": "codebuild.amazonaws.com"
至
"Service" : [
"codedeploy.amazonaws.com",
"codebuild.amazonaws.com"
]
我正在尝试使用我的 GitHub 设置 CodeDeploy,但我发现了一些问题。
我创建了 service role,正如文档中提到的 AWSCodeDeployRole 政策。
在我的代码部署应用程序创建过程中,我遇到了一个问题:
Cannot assume role provided.
正如我所见,我在 AWSCodeDeployRole 中的角色有很多自动缩放权限,但我不希望这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetTags",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": "*"
}
]
}
在一些谷歌搜索中,我发现 CodeDeploy 应用程序可能期望类似于以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
但是当我尝试手动创建此策略时,它也失败并出现错误:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
那么,Code Deploy Application 的预期服务角色是什么?
顺便说一句,代码部署是 运行 在我的 EC2 实例上。
好吧,根据@Michael 的评论,我发现 Trust relationships policy 与 Service role 的一些差异。
看起来默认 AWSCodeDeployRole 无法正确处理代码部署。
为了解决这个问题,我将 "Service": [
"ec2.amazonaws.com"] 替换为 "Service": [
"codedeploy.amazonaws.com"]
而且有效!
对于那些通过 Google 找到它的人 - 在我的 Cloud Formation 模板中,我错误地格式化了 ARN,并且错误不是描述性的:
需要以这种方式指定角色:
arn:aws:iam::1234567890:role/CodeDeployRole 注意 :role/ 而不是 :instance-profile/
错误就是上面说的不能承担角色,虽然是因为你指定错了
我一直在学习教程,但它没有提到您必须为服务角色编辑信任关系。在更改以下内容之前,我遇到了与上述相同的错误。
我变了
"Service": "codebuild.amazonaws.com"
至
"Service" : [
"codedeploy.amazonaws.com",
"codebuild.amazonaws.com"
]