如何从 codebuild buildspec 获取 S3 对象? (拒绝访问)
How to get S3 objects from a codebuild buildspec ? (AccessDenied)
我有一个带有 CodeBuild 阶段的 CodePipeline 管道
这是我的构建规范:
{
"version": "0.2",
"phases": {
"build": {
"commands": [
"echo \"Hello, CodeBuild!\"",
"echo \"ca marche\" > test.txt",
"mkdir site-content",
"aws s3 sync s3://my-super-bucket-name site-content",
"ls - al"
]
}
},
"artifacts": {
"files": [
"test.txt"
]
}
}
构建项目服务角色是使用默认的 cdk 生成策略定义的,加上这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-super-bucket-name",
"arn:aws:s3:::my-super-bucket-name/* "
],
"Effect": "Allow"
}
]
}
并且 codebuild.amazonaws.com 是角色的可信实体
在存储桶方面,我有这个存储桶策略:
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXXXXXX",
"Statement": [
{
"Sid": "StmtYYYYYYYYYYYYY",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/a-user-for-another-process"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-super-bucket-name"
}
]
}
但是构建项目失败了:
[Container] 2021/02/03 09:57:43 Running command aws s3 sync s3://my-super-bucket-name site-content
download failed: s3://my-super-bucket-name/test.txt to site-content/test.txt An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Completed 4 Bytes/13.7 KiB (0 Bytes/s) with 4 file(s) remaining
求助!
编辑:
我只是将此声明添加到存储桶策略中:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXXX:role/my-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-super-bucket-name"
}
但是我有同样的错误:(
编辑 2:
傻我!它是:
"Resource": "arn:aws:s3:::my-super-bucket-name*"
现在可以了!
您应该修改存储桶策略以向您的代码构建角色授予显式访问权限,因为如果没有存储桶策略附加到存储桶,那么首先会根据存储桶策略检查权限,然后按照您尝试的方式进行操作.
我有一个带有 CodeBuild 阶段的 CodePipeline 管道
这是我的构建规范:
{
"version": "0.2",
"phases": {
"build": {
"commands": [
"echo \"Hello, CodeBuild!\"",
"echo \"ca marche\" > test.txt",
"mkdir site-content",
"aws s3 sync s3://my-super-bucket-name site-content",
"ls - al"
]
}
},
"artifacts": {
"files": [
"test.txt"
]
}
}
构建项目服务角色是使用默认的 cdk 生成策略定义的,加上这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-super-bucket-name",
"arn:aws:s3:::my-super-bucket-name/* "
],
"Effect": "Allow"
}
]
}
并且 codebuild.amazonaws.com 是角色的可信实体
在存储桶方面,我有这个存储桶策略:
{
"Version": "2012-10-17",
"Id": "PolicyXXXXXXXXXXXXX",
"Statement": [
{
"Sid": "StmtYYYYYYYYYYYYY",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:user/a-user-for-another-process"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-super-bucket-name"
}
]
}
但是构建项目失败了:
[Container] 2021/02/03 09:57:43 Running command aws s3 sync s3://my-super-bucket-name site-content
download failed: s3://my-super-bucket-name/test.txt to site-content/test.txt An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
Completed 4 Bytes/13.7 KiB (0 Bytes/s) with 4 file(s) remaining
求助!
编辑: 我只是将此声明添加到存储桶策略中:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXXX:role/my-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-super-bucket-name"
}
但是我有同样的错误:(
编辑 2: 傻我!它是:
"Resource": "arn:aws:s3:::my-super-bucket-name*"
现在可以了!
您应该修改存储桶策略以向您的代码构建角色授予显式访问权限,因为如果没有存储桶策略附加到存储桶,那么首先会根据存储桶策略检查权限,然后按照您尝试的方式进行操作.