AWS Pipeline buildspec 拒绝访问 SecretManager,但已授权部署的 Beanstalk 实例
AWS Pipeline buildspec denied access to SecretManager, but deployed Beanstalk instance authorized
我们已将 MyReadOnlySecretServer 政策设置为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
我们在 Elastic Beanstalk 上部署了一个 SpringBoot 应用程序,并已成功在生产中检索和使用密钥。
但是,不知何故,当我们仍处于管道的构建阶段时,显然我们的 CodeStarWorker 无法读取这些值。这是例外:
software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException:
User:
arn:aws:sts::SOME_ID:assumed-role/CodeStarWorker-blabla-ToolChain/AWSCodeBuild-some-long-id
is not authorized to perform: secretsmanager:GetSecretValue on
resource:
arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON
(Service: SecretsManager, Status Code: 400, Request ID:
some-other-long-id)
我们在部署时尝试访问机密时遇到此异常,如异常所述,将 MyReadOnlySecretServer 策略添加到 IAM 角色 CodeStarWorker-blabla-ToolChain,然后问题得到解决。
然而,不知何故,现在我们在 buildspec.yml 中尝试 运行 mvn test,我们得到了同样的异常。
为什么我们的 buildspec.yml 尽管被执行 "source + build + deploy" 阶段的同一代码管道 运行 拒绝访问?部署后,该实例可以访问,但在构建时却没有。
这是 buildspec.yml :
version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test # commenting this "test" makes it run properly
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/$PARTITION$/'${PARTITION}'/g;s/$AWS_REGION$/'${AWS_REGION}'/g;s/$ACCOUNT_ID$/'${ACCOUNT_ID}'/g;s/$PROJECT_ID$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
在我看来,CodeBuild 承担了 'CodeStarWorker-blabla-ToolChain' 角色,而角色本身没有 'secretsmanager:GetSecretValue' 权限。此外,根据记忆,CodeStarWorker 角色有一个权限边界,即使您已经明确添加了所需的权限,它也可能会阻止访问。这里讨论了类似的问题:
我们已将 MyReadOnlySecretServer 政策设置为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
我们在 Elastic Beanstalk 上部署了一个 SpringBoot 应用程序,并已成功在生产中检索和使用密钥。
但是,不知何故,当我们仍处于管道的构建阶段时,显然我们的 CodeStarWorker 无法读取这些值。这是例外:
software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException: User: arn:aws:sts::SOME_ID:assumed-role/CodeStarWorker-blabla-ToolChain/AWSCodeBuild-some-long-id is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:REGION:SOME_ID:secret:ID_OF_OUR_SECRET_JSON (Service: SecretsManager, Status Code: 400, Request ID: some-other-long-id)
我们在部署时尝试访问机密时遇到此异常,如异常所述,将 MyReadOnlySecretServer 策略添加到 IAM 角色 CodeStarWorker-blabla-ToolChain,然后问题得到解决。
然而,不知何故,现在我们在 buildspec.yml 中尝试 运行 mvn test,我们得到了同样的异常。
为什么我们的 buildspec.yml 尽管被执行 "source + build + deploy" 阶段的同一代码管道 运行 拒绝访问?部署后,该实例可以访问,但在构建时却没有。
这是 buildspec.yml :
version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test # commenting this "test" makes it run properly
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/$PARTITION$/'${PARTITION}'/g;s/$AWS_REGION$/'${AWS_REGION}'/g;s/$ACCOUNT_ID$/'${ACCOUNT_ID}'/g;s/$PROJECT_ID$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
在我看来,CodeBuild 承担了 'CodeStarWorker-blabla-ToolChain' 角色,而角色本身没有 'secretsmanager:GetSecretValue' 权限。此外,根据记忆,CodeStarWorker 角色有一个权限边界,即使您已经明确添加了所需的权限,它也可能会阻止访问。这里讨论了类似的问题: