下载源代码时 AWS Codebuild 失败。消息:拒绝访问
AWS Codebuild fails while downloading source. Message: Access Denied
我创建了一个使用 docker image for node8 的 CodeBuild 项目。此 CodeBuild 项目的目的是进行单元测试。它从 CodeCommit 获取一个输入项目。并在 buildspec.yml 中运行测试命令。
这是我的(简单的)buildspec 文件:
version: 0.2
phases:
install:
commands:
- echo "install phase started"
- npm install
- echo "install phase ended"
pre_build:
commands:
- echo "pre_build aka test phase started"
- echo "mocha unit test"
- npm test
- echo "mocha unit test ended"
build:
commands:
- echo "build phase started"
- echo "build complete"
构建在 DOWNLOAD_SOURCE 阶段失败,出现以下情况:
PHASE - DOWNLOAD_SOURCE
Start time 2 minutes ago
End time 2 minutes ago
Message Access Denied
构建日志中仅有的日志如下
[Container] 2018/01/12 11:30:22 Waiting for agent ping
[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE
提前致谢。
CodeBuild 策略的屏幕截图。
我找到了修复方法。这是我的权限问题。我添加了这个以使其工作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-eu-west-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
}
]
}
我遇到了类似的错误,我会 post 我的修复程序,以防对其他人有帮助。我正在使用 CodePipeline 并进行了两个单独的构建。 Build #1 将完成其构建,其输出工件将成为 Build #2 的输入工件。 Build #2 在 DOWNLOAD_SOURCE 阶段失败并出现以下错误:
AccessDenied: Access Denied status code: 403
问题是在我的构建 #1 的构建规范中,我没有定义工件。在 Build #1 中调出工件 files/folders 后,Build #2 就可以毫无问题地下载源代码。
我有同样的错误,访问 S3 存储桶的权限问题 url。最初我使用了一个自动生成的 codepipeline-us-west-2-* 存储桶名称和策略:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-west-2-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
更改为我自己的存储桶名称后,必须将策略更新为:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-name-files/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
我遇到了同样的问题。
我的来源来自 S3 文件夹。修复涉及将 / 放在源路径的末尾。似乎没有 / CodeBuild 认为它是一个键。
希望这有助于节省时间。
我遇到了同样的症状,但我的问题是由于 S3 存储桶上的默认加密造成的,如 this post 中所述。
So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.
在我的例子中,使用的密钥不匹配导致解密失败。
我创建了一个使用 docker image for node8 的 CodeBuild 项目。此 CodeBuild 项目的目的是进行单元测试。它从 CodeCommit 获取一个输入项目。并在 buildspec.yml 中运行测试命令。
这是我的(简单的)buildspec 文件:
version: 0.2
phases:
install:
commands:
- echo "install phase started"
- npm install
- echo "install phase ended"
pre_build:
commands:
- echo "pre_build aka test phase started"
- echo "mocha unit test"
- npm test
- echo "mocha unit test ended"
build:
commands:
- echo "build phase started"
- echo "build complete"
构建在 DOWNLOAD_SOURCE 阶段失败,出现以下情况:
PHASE - DOWNLOAD_SOURCE
Start time 2 minutes ago
End time 2 minutes ago
Message Access Denied
构建日志中仅有的日志如下
[Container] 2018/01/12 11:30:22 Waiting for agent ping
[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE
提前致谢。
CodeBuild 策略的屏幕截图。
我找到了修复方法。这是我的权限问题。我添加了这个以使其工作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-eu-west-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
}
]
}
我遇到了类似的错误,我会 post 我的修复程序,以防对其他人有帮助。我正在使用 CodePipeline 并进行了两个单独的构建。 Build #1 将完成其构建,其输出工件将成为 Build #2 的输入工件。 Build #2 在 DOWNLOAD_SOURCE 阶段失败并出现以下错误:
AccessDenied: Access Denied status code: 403
问题是在我的构建 #1 的构建规范中,我没有定义工件。在 Build #1 中调出工件 files/folders 后,Build #2 就可以毫无问题地下载源代码。
我有同样的错误,访问 S3 存储桶的权限问题 url。最初我使用了一个自动生成的 codepipeline-us-west-2-* 存储桶名称和策略:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-west-2-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
更改为我自己的存储桶名称后,必须将策略更新为:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-name-files/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
我遇到了同样的问题。
我的来源来自 S3 文件夹。修复涉及将 / 放在源路径的末尾。似乎没有 / CodeBuild 认为它是一个键。
希望这有助于节省时间。
我遇到了同样的症状,但我的问题是由于 S3 存储桶上的默认加密造成的,如 this post 中所述。
So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.
在我的例子中,使用的密钥不匹配导致解密失败。