AWS CodeBuild VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation
AWS CodeBuild VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation
我在自定义 VPC 和私有子网中创建了 CodeBuild 项目。
私有子网可以访问互联网,同时 AWS 控制台确认互联网连接适用于此代码构建项目。我在构建的 "Provisioning" 阶段不断收到 VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation 错误。我的服务角色策略中肯定缺少某些内容,但无法弄清楚是什么。
这是 CodeBuild 项目 (terraform):
resource "aws_codebuild_project" "frontend" {
name = "frontend"
build_timeout = "5"
service_role = "${aws_iam_role.frontend_build.arn}"
artifacts {
type = "S3"
location = "frontend.myapp.com"
namespace_type = "NONE"
packaging = "NONE"
path = "public"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}
logs_config {
cloudwatch_logs {
group_name = "build"
stream_name = "frontend-build"
}
}
source {
type = "GITHUB"
location = "https://github.com/MyOrg/my-repo.git"
git_clone_depth = 1
report_build_status = true
auth {
type = "OAUTH"
}
}
vpc_config {
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
security_group_ids = [aws_security_group.build.id]
}
}
这是此 CodeBuild 项目的 service_role:
resource "aws_iam_role" "frontend_build" {
name = "frontend-build"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
这是该角色的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxx-frontend-build-logs",
"arn:aws:s3:::xxx-frontend-build-logs/*"
]
}
]
}
这是 CodeBuild 项目的安全组:
resource "aws_security_group" "build" {
name = "build"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "build_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.build.id
}
在我看来,CodeBuild 服务角色无法在 VPC 中创建 ENI。问题似乎出在 CodeBuild 角色策略中的这一行:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872" <================= Need full ARN here
}
}
},
而不是:
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
尝试...
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
详情请见:[1]
参考:
[1] 为 CodeBuild 使用基于身份的策略 - 允许 CodeBuild 访问创建 VPC 网络接口所需的 AWS 服务 - https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface
如果您不方便在策略中提供子网 ID,您也可以使用 StringLike
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringLike": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/*"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
}
我在自定义 VPC 和私有子网中创建了 CodeBuild 项目。
私有子网可以访问互联网,同时 AWS 控制台确认互联网连接适用于此代码构建项目。我在构建的 "Provisioning" 阶段不断收到 VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation 错误。我的服务角色策略中肯定缺少某些内容,但无法弄清楚是什么。
这是 CodeBuild 项目 (terraform):
resource "aws_codebuild_project" "frontend" {
name = "frontend"
build_timeout = "5"
service_role = "${aws_iam_role.frontend_build.arn}"
artifacts {
type = "S3"
location = "frontend.myapp.com"
namespace_type = "NONE"
packaging = "NONE"
path = "public"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}
logs_config {
cloudwatch_logs {
group_name = "build"
stream_name = "frontend-build"
}
}
source {
type = "GITHUB"
location = "https://github.com/MyOrg/my-repo.git"
git_clone_depth = 1
report_build_status = true
auth {
type = "OAUTH"
}
}
vpc_config {
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
security_group_ids = [aws_security_group.build.id]
}
}
这是此 CodeBuild 项目的 service_role:
resource "aws_iam_role" "frontend_build" {
name = "frontend-build"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
这是该角色的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxx-frontend-build-logs",
"arn:aws:s3:::xxx-frontend-build-logs/*"
]
}
]
}
这是 CodeBuild 项目的安全组:
resource "aws_security_group" "build" {
name = "build"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "build_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.build.id
}
在我看来,CodeBuild 服务角色无法在 VPC 中创建 ENI。问题似乎出在 CodeBuild 角色策略中的这一行:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872" <================= Need full ARN here
}
}
},
而不是:
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
尝试...
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
详情请见:[1]
参考: [1] 为 CodeBuild 使用基于身份的策略 - 允许 CodeBuild 访问创建 VPC 网络接口所需的 AWS 服务 - https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface
如果您不方便在策略中提供子网 ID,您也可以使用 StringLike
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringLike": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/*"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
}