提供的角色没有足够的权限访问 CodeDeploy
The provided role does not have sufficient permissions to access CodeDeploy
我正在实施 CodePipeline;使用 GitHub、CodeBuild 和 Amazon ECS (blue/green)。我正在使用的角色是由管道生成的角色:ecsTaskExecutionRole
生成后,它配备了以下策略:
AmazonECSTaskExecutionRolePolicy(包含以下操作):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]}
以及以下信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
]
},
"Action": "sts:AssumeRole"
}
]
}
假设角色是自动生成的,人们会假设它拥有所有必要的权限(管道运行)或者 AWS 会有分配权限的指南(到策略或信任关系配置)。
尽管如此,更新信任关系以包括:
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com",
"codedeploy.amazonaws.com",
"codepipeline.amazonaws.com",
"s3.amazonaws.com"
]
我仍然收到错误:
在过去的 1-2 年里,我多次 blogs/forum 看到过这个问题;令人难以置信的是,这仍然没有被正确记录为 AWS 教程(或相关博客)的一部分。
"The provided role does not have sufficient permissions to access CodeDeploy"
此错误表明 CodePipeline 角色缺少 "codedeploy:" 相关权限。
能否请您添加
codedeploy:*
到角色再试一次。
如果您不想添加所有 CodeDeploy 权限,您将需要调查 Cloudtrail 中的 'AccessDenied' 调用并仅允许这些。通常这些是必需的:
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
此处记录了默认值 "CodePipeline Service Role Policy":
[1] 管理 CodePipeline 服务角色 - 查看默认 CodePipeline 服务角色策略 - https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy
我正在实施 CodePipeline;使用 GitHub、CodeBuild 和 Amazon ECS (blue/green)。我正在使用的角色是由管道生成的角色:ecsTaskExecutionRole
生成后,它配备了以下策略: AmazonECSTaskExecutionRolePolicy(包含以下操作):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]}
以及以下信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
]
},
"Action": "sts:AssumeRole"
}
]
}
假设角色是自动生成的,人们会假设它拥有所有必要的权限(管道运行)或者 AWS 会有分配权限的指南(到策略或信任关系配置)。
尽管如此,更新信任关系以包括:
"Service": [
"codebuild.amazonaws.com",
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com",
"codedeploy.amazonaws.com",
"codepipeline.amazonaws.com",
"s3.amazonaws.com"
]
我仍然收到错误:
在过去的 1-2 年里,我多次 blogs/forum 看到过这个问题;令人难以置信的是,这仍然没有被正确记录为 AWS 教程(或相关博客)的一部分。
"The provided role does not have sufficient permissions to access CodeDeploy"
此错误表明 CodePipeline 角色缺少 "codedeploy:" 相关权限。
能否请您添加
codedeploy:*
到角色再试一次。
如果您不想添加所有 CodeDeploy 权限,您将需要调查 Cloudtrail 中的 'AccessDenied' 调用并仅允许这些。通常这些是必需的:
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
此处记录了默认值 "CodePipeline Service Role Policy":
[1] 管理 CodePipeline 服务角色 - 查看默认 CodePipeline 服务角色策略 - https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html#view-default-service-role-policy