尽管 IAM 设置正确,但 CodePipeline 部署到 Beanstalk 失败
CodePipeline deployment to Beanstalk fails despite IAM properly set up
上下文
这最初是一个 CodeStar 项目,后来发展成为更大的项目。我们重新使用 Beanstalk 应用程序来创建 stage 和 prod 环境,并保持最初创建的 dev 环境不变。
我们更新了 CodePipeline,以使用 "Elastic Beanstalk" 作为提供商部署到我们的新环境。 (虽然 CodeStar 已使用 CloudFormation 为其在 Beanstalk 应用程序中自动配置的环境设置部署。)
问题
由于提到 autoscaling:DescribeAutoScalingGroups 未被授权由 CodePipeline 的 IAM 角色执行的错误,部署失败。
这是 CodePipeline 中显示的完整错误消息:
Insufficient permissions
Deployment failed.
The provided role does not have sufficient permissions: User:
arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy
is not authorized to perform: autoscaling:DescribeAutoScalingGroups
(Service: AmazonAutoScaling; Status Code: 403; Error Code:
AccessDenied; Request ID: 905ee6ef-d75d-4cf8-b5f3-e6b16a5f6477)
Service:AmazonAutoScaling, Message:User:
arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy
is not authorized to perform: autoscaling:DescribeAutoScalingGroups
Failed to deploy application.
Service:AmazonAutoScaling, Message:User:
arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy
is not authorized to perform: autoscaling:DescribeAutoScalingGroups
IAM
这是 CodePipeline 角色 的内容(又名 CodeStarWorker-xxx-on-cod-ToolChain):
这是关联的权限边界(最初由 CodeStar 生成,最终由我们更新以尝试使整个事情正常工作):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*",
"Condition": {
"StringEquals": {
"ssm:ResourceTag/awscodestar:projectArn": "arn:aws:codestar:yyy:xxx:project/xxx-on-cod"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:CreateBucket",
"iam:PassRole",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:s3:::aws-codestar-yyy-xxx/xxx-on-cod/ssh/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx",
"arn:aws:s3:::awscodestar-remote-access-yyy/*",
"arn:aws:s3:::awscodestar-remote-access-signatures-yyy/*",
"arn:aws:iam::xxx:role/CodeStarWorker-xxx-on-cod-CloudFormation",
"arn:aws:secretsmanager:yyy:xxx:secret:xxx"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"s3:*",
"codebuild:*",
"ec2:Describe*",
"ec2:*SecurityGroup*",
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:yyy:xxx:log-group:/aws/elasticbeanstalk/*"
]
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:DescribeScalingActivities"
],
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"sns:Get*",
"sns:Publish",
"logs:DescribeLogGroups",
"cloudtrail:StartLogging",
"lambda:ListFunctions",
"cloudtrail:CreateTrail",
"sns:Subscribe",
"xray:Put*",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"sns:List*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8",
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8/*",
"arn:aws:cloudformation:yyy:xxx:stack/awscodestar-xxx-on-cod-*",
"arn:aws:codebuild:yyy:xxx:project/xxx-on-cod",
"arn:aws:codecommit:yyy:xxx:xxx-on-codecommit",
"arn:aws:codepipeline:yyy:xxx:xxx-on-cod-Pipeline",
"arn:aws:elasticbeanstalk:yyy:xxx:*/xxx-on-cod*",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz/*"
]
}
]
}
流水线
如您所见,我们有两个 CodeBuild,因为第一个是由 CodeStar 设置的,第二个是稍微修改输出工件的,以便它采用正确的格式直接上传到 Beanstalk。
部署成功的是CodeStar的(使用CloudFormation Provider),下一个是失败的(使用Beanstalk Provider)
CodeStar CodeBuild (buildspec.yml)
CloudFormation 部署使用输出工件:
version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/$PARTITION$/'${PARTITION}'/g;s/$AWS_REGION$/'${AWS_REGION}'/g;s/$ACCOUNT_ID$/'${ACCOUNT_ID}'/g;s/$PROJECT_ID$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
我们的 CodeBuild (buildspec-two.yml)
输出工件被(失败的)Beanstalk 部署使用:
# Everything up to that point is the very same as the code from above
artifacts:
type: zip
base-directory: 'target/ROOT'
files:
- ./**/*
- .ebextensions/**/*
结论
我不知道部署是如何失败的,因为权限边界和基本 IAM 角色都提到 autoscaling:DescribeAutoScalingGroups。
此外,部署到 CodeStar 环境 运行 很好,但部署失败的特定环境来自精确复制(就配置而言)。
有什么想法吗?
(此外,最初的 dev 环境,就像新创建的 stage 环境一样,甚至没有与之关联的 AutoScalingGroup ...所以我不知道为什么部署甚至试图这样做。)
(我查看了 S3 以确保部署的两个 Artefacts 具有相同的结构。)
这是一个很难解决的问题,但据我所知,有几个潜在的问题。一是 'DescribeAutoScalingGroups' 动作不支持资源级权限,所以必须是星号作为资源,而不是资源 arn。您可以尝试删除:
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]
在权限范围内,替换为
"Resource": [
"*"
]
看看是否能解决问题。
其次,'AWSCodeDeployFullAccess' 角色不包含策略中的 'DescribeAutoScalingGroups' 操作。您可能需要替换 and/or 添加 'AWSCodeDeployRole' 才能使用该操作。这可能会解决它。
CodeStar 项目在权限方面非常锁定,因此扩展项目会变得非常复杂。在这里查看:
https://docs.aws.amazon.com/codestar/latest/userguide/add-iam-role.html
这里:
https://docs.aws.amazon.com/codestar/latest/userguide/adh-policy-examples.html
上下文
这最初是一个 CodeStar 项目,后来发展成为更大的项目。我们重新使用 Beanstalk 应用程序来创建 stage 和 prod 环境,并保持最初创建的 dev 环境不变。
我们更新了 CodePipeline,以使用 "Elastic Beanstalk" 作为提供商部署到我们的新环境。 (虽然 CodeStar 已使用 CloudFormation 为其在 Beanstalk 应用程序中自动配置的环境设置部署。)
问题
由于提到 autoscaling:DescribeAutoScalingGroups 未被授权由 CodePipeline 的 IAM 角色执行的错误,部署失败。
这是 CodePipeline 中显示的完整错误消息:
Insufficient permissions
Deployment failed.
The provided role does not have sufficient permissions: User: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy is not authorized to perform: autoscaling:DescribeAutoScalingGroups (Service: AmazonAutoScaling; Status Code: 403; Error Code: AccessDenied; Request ID: 905ee6ef-d75d-4cf8-b5f3-e6b16a5f6477)
Service:AmazonAutoScaling, Message:User: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy is not authorized to perform: autoscaling:DescribeAutoScalingGroups
Failed to deploy application.
Service:AmazonAutoScaling, Message:User: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy is not authorized to perform: autoscaling:DescribeAutoScalingGroups
IAM
这是 CodePipeline 角色 的内容(又名 CodeStarWorker-xxx-on-cod-ToolChain):
这是关联的权限边界(最初由 CodeStar 生成,最终由我们更新以尝试使整个事情正常工作):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*",
"Condition": {
"StringEquals": {
"ssm:ResourceTag/awscodestar:projectArn": "arn:aws:codestar:yyy:xxx:project/xxx-on-cod"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:CreateBucket",
"iam:PassRole",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:s3:::aws-codestar-yyy-xxx/xxx-on-cod/ssh/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx",
"arn:aws:s3:::awscodestar-remote-access-yyy/*",
"arn:aws:s3:::awscodestar-remote-access-signatures-yyy/*",
"arn:aws:iam::xxx:role/CodeStarWorker-xxx-on-cod-CloudFormation",
"arn:aws:secretsmanager:yyy:xxx:secret:xxx"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"s3:*",
"codebuild:*",
"ec2:Describe*",
"ec2:*SecurityGroup*",
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:yyy:xxx:log-group:/aws/elasticbeanstalk/*"
]
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:DescribeScalingActivities"
],
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"sns:Get*",
"sns:Publish",
"logs:DescribeLogGroups",
"cloudtrail:StartLogging",
"lambda:ListFunctions",
"cloudtrail:CreateTrail",
"sns:Subscribe",
"xray:Put*",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"sns:List*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8",
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8/*",
"arn:aws:cloudformation:yyy:xxx:stack/awscodestar-xxx-on-cod-*",
"arn:aws:codebuild:yyy:xxx:project/xxx-on-cod",
"arn:aws:codecommit:yyy:xxx:xxx-on-codecommit",
"arn:aws:codepipeline:yyy:xxx:xxx-on-cod-Pipeline",
"arn:aws:elasticbeanstalk:yyy:xxx:*/xxx-on-cod*",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz/*"
]
}
]
}
流水线
如您所见,我们有两个 CodeBuild,因为第一个是由 CodeStar 设置的,第二个是稍微修改输出工件的,以便它采用正确的格式直接上传到 Beanstalk。
部署成功的是CodeStar的(使用CloudFormation Provider),下一个是失败的(使用Beanstalk Provider)
CodeStar CodeBuild (buildspec.yml)
CloudFormation 部署使用输出工件:
version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/$PARTITION$/'${PARTITION}'/g;s/$AWS_REGION$/'${AWS_REGION}'/g;s/$ACCOUNT_ID$/'${ACCOUNT_ID}'/g;s/$PROJECT_ID$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
我们的 CodeBuild (buildspec-two.yml)
输出工件被(失败的)Beanstalk 部署使用:
# Everything up to that point is the very same as the code from above
artifacts:
type: zip
base-directory: 'target/ROOT'
files:
- ./**/*
- .ebextensions/**/*
结论
我不知道部署是如何失败的,因为权限边界和基本 IAM 角色都提到 autoscaling:DescribeAutoScalingGroups。
此外,部署到 CodeStar 环境 运行 很好,但部署失败的特定环境来自精确复制(就配置而言)。
有什么想法吗?
(此外,最初的 dev 环境,就像新创建的 stage 环境一样,甚至没有与之关联的 AutoScalingGroup ...所以我不知道为什么部署甚至试图这样做。)
(我查看了 S3 以确保部署的两个 Artefacts 具有相同的结构。)
这是一个很难解决的问题,但据我所知,有几个潜在的问题。一是 'DescribeAutoScalingGroups' 动作不支持资源级权限,所以必须是星号作为资源,而不是资源 arn。您可以尝试删除:
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]
在权限范围内,替换为
"Resource": [
"*"
]
看看是否能解决问题。
其次,'AWSCodeDeployFullAccess' 角色不包含策略中的 'DescribeAutoScalingGroups' 操作。您可能需要替换 and/or 添加 'AWSCodeDeployRole' 才能使用该操作。这可能会解决它。
CodeStar 项目在权限方面非常锁定,因此扩展项目会变得非常复杂。在这里查看:
https://docs.aws.amazon.com/codestar/latest/userguide/add-iam-role.html
这里:
https://docs.aws.amazon.com/codestar/latest/userguide/adh-policy-examples.html