发生错误:ServerlessDeploymentBucket - API: s3:CreateBucket 拒绝访问
An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied
作为来自基于 CDK 的 CI-CD 管道的 运行 管道,假设管道具有通过角色所需的权限,则不会在参数中传递配置文件。
我正在使用来自 https://github.com/awslabs/aws-simple-cicd/
的管道
我的部署-role.yml 文件有一个如下所示的策略:
DeploymentPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: deployment-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'cloudformation:*'
- 'iam:*'
- 'lambda:*'
- 'ecs:*'
- 'ecr:*'
- 'logs:*'
- 'ssm:*'
- 'acm:*'
- 'apigateway:*'
- 'application-autoscaling:*'
- 'autoscaling:*'
- 'cloudfront:*'
- 'cloudwatch:*'
- 'elasticache:*'
- 'elasticloadbalancing:*'
- 'events:*'
- 'route53:*'
- 'sns:*'
- 'sqs:*'
- 's3:*'
- 'dynamodb:*'
- 'xray:*'
- 'cognito-idp:*'
Resource: '*'
Roles:
- !Ref DeploymentRole
-
鉴于策略具有对 s3 的完全访问权限,我希望部署能够完成,但它失败并显示以下错误消息:
lerna notice cli v4.0.0
326 | lerna info ci enabled
327 | lerna info Executing command in 4 packages: "npm run deploy"
328 | vlncc-sns: > vlncc-sns@0.1.0 deploy
329 | vlncc-sns: > sls deploy -v
330 | tenant-mgmt-service: > tenant-mgmt-service@0.1.0 deploy
331 | tenant-mgmt-service: > sls deploy -v
332 | vlncc-sns: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
333 | vlncc-sns: - Cannot resolve variable at "provider.profile": Value not found at "opt" source
334 | vlncc-sns: From a next major it we will be communicated with a thrown error.
335 | vlncc-sns: Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
336 | vlncc-sns: More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
337 | tenant-mgmt-service: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
338 | tenant-mgmt-service: - Cannot resolve variable at "provider.profile": Value not found at "opt" source,
339 | tenant-mgmt-service: - Cannot resolve variable at "provider.iamRoleStatements.0": Cannot load file from outside of service folder
340 | tenant-mgmt-service: From a next major it we will be communicated with a thrown error.
341 | tenant-mgmt-service: Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
342 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
343 | vlncc-sns:
344 | vlncc-sns: Serverless Warning --------------------------------------
345 | vlncc-sns:
346 | vlncc-sns: A valid option to satisfy the declaration 'opt:profile' could not be found.
347 | vlncc-sns:
348 | vlncc-sns: Serverless: Packaging service...
349 | vlncc-sns: Serverless: Creating Stack...
350 | tenant-mgmt-service:
351 | tenant-mgmt-service: Serverless Warning --------------------------------------
352 | tenant-mgmt-service:
353 | tenant-mgmt-service: A valid option to satisfy the declaration 'opt:profile' could not be found.
354 | tenant-mgmt-service:
355 | vlncc-sns: Serverless: Checking Stack create progress...
356 | tenant-mgmt-service: Serverless: Configuration warning at 'functions.getPool.events[0].http': unrecognized property 'documentation'
357 | tenant-mgmt-service: Serverless:
358 | tenant-mgmt-service: Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation
359 | tenant-mgmt-service: Serverless:
360 | tenant-mgmt-service: Serverless: Deprecation warning: Starting with version 3.0.0, following property will be replaced:
361 | tenant-mgmt-service: "provider.iamRoleStatements" -> "provider.iam.role.statements"
362 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#PROVIDER_IAM_SETTINGS
363 | tenant-mgmt-service: Serverless: Deprecation warning: Resolution of lambda version hashes was improved with better algorithm, which will be used in next major release.
364 | tenant-mgmt-service: Switch to it now by setting "provider.lambdaHashingVersion" to "20201221"
365 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#LAMBDA_HASHING_VERSION_V2
366 | tenant-mgmt-service: Serverless: Using configuration:
367 | tenant-mgmt-service: {
368 | tenant-mgmt-service: "packager": "npm",
369 | tenant-mgmt-service: "packagerOptions": {},
370 | tenant-mgmt-service: "webpackConfig": "../../node_modules/serverless-bundle/src/webpack.config.js",
371 | tenant-mgmt-service: "includeModules": {
372 | tenant-mgmt-service: "forceExclude": [
373 | tenant-mgmt-service: "aws-sdk"
374 | tenant-mgmt-service: ],
375 | tenant-mgmt-service: "forceInclude": null,
376 | tenant-mgmt-service: "packagePath": "package.json"
377 | tenant-mgmt-service: },
378 | tenant-mgmt-service: "keepOutputDirectory": false
379 | tenant-mgmt-service: }
380 | tenant-mgmt-service: Serverless: Removing /codebuild/output/src181728188/src/services/tenant-mgmt-service/.webpack
381 | tenant-mgmt-service: Serverless: Bundling with Webpack...
382 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
383 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
384 | vlncc-sns: CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
385 | vlncc-sns: CloudFormation - DELETE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
386 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
387 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::CloudFormation::Stack - vlncc-sns-sandbox
388 | vlncc-sns: Serverless: Operation failed!
389 | vlncc-sns: Serverless: View the full error output: https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-west-2%3A074808352032%3Astack%2Fvlncc-sns-sandbox%2F99468730-85f5-11eb-9aea-069c3947cedb
390 | vlncc-sns:
391 | vlncc-sns: Serverless Error ----------------------------------------
392 | vlncc-sns:
393 | vlncc-sns: An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
394 | vlncc-sns:
395 | vlncc-sns: Get Support --------------------------------------------
396 | vlncc-sns: Docs: docs.serverless.com
397 | vlncc-sns: Bugs: github.com/serverless/serverless/issues
398 | vlncc-sns: Issues: forum.serverless.com
399 | vlncc-sns:
400 | vlncc-sns: Your Environment Information ---------------------------
401 | vlncc-sns: Operating System: linux
402 | vlncc-sns: Node Version: 12.19.1
403 | vlncc-sns: Framework Version: 2.29.0
404 | vlncc-sns: Plugin Version: 4.5.0
405 | vlncc-sns: SDK Version: n/a
406 | vlncc-sns: Components Version: 3.7.3
407 | vlncc-sns:
408 | vlncc-sns: npm ERR! code 1
409 | vlncc-sns: npm ERR! path /codebuild/output/src181728188/src/resources/sns
410 | vlncc-sns: npm ERR! command failed
411 | vlncc-sns: npm ERR! command sh -c sls deploy -v
412 | vlncc-sns: npm ERR! A complete log of this run can be found in:
413 | vlncc-sns: npm ERR! /root/.npm/_logs/2021-03-16T01_19_15_364Z-debug.log
414 | lerna ERR! npm run deploy exited 1 in 'vlncc-sns'
415 | lerna WARN complete Waiting for 2 child processes to exit. CTRL-C to exit immediately.
416 | npm ERR! code 1
417 | npm ERR! path /codebuild/output/src181728188/src
418 | npm ERR! command failed
419 | npm ERR! command sh -c lerna run deploy --stream
420 |
421 | npm ERR! A complete log of this run can be found in:
422 | npm ERR! /root/.npm/_logs/2021-03-16T01_19_15_414Z-debug.log
423 |
424 | [Container] 2021/03/16 01:19:15 Command did not exit successfully bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh exit status 1
425 | [Container] 2021/03/16 01:19:15 Phase complete: BUILD State: FAILED
426 | [Container] 2021/03/16 01:19:15 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh. Reason: exit status 1
427 | [Container] 2021/03/16 01:19:15 Entering phase POST_BUILD
428 | [Container] 2021/03/16 01:19:15 Phase complete: POST_BUILD State: SUCCEEDED
429 | [Container] 2021/03/16 01:19:15 Phase context status code: Message:
这是为什么?我该如何解决?
应将 S3 权限添加到您的 CodeBuild (CB) 项目角色,而不是 CodePipeline (CP) 角色。原因是CB容器是实际尝试访问S3的实体,而不是CP。
作为来自基于 CDK 的 CI-CD 管道的 运行 管道,假设管道具有通过角色所需的权限,则不会在参数中传递配置文件。
我正在使用来自 https://github.com/awslabs/aws-simple-cicd/
的管道我的部署-role.yml 文件有一个如下所示的策略:
DeploymentPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: deployment-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'cloudformation:*'
- 'iam:*'
- 'lambda:*'
- 'ecs:*'
- 'ecr:*'
- 'logs:*'
- 'ssm:*'
- 'acm:*'
- 'apigateway:*'
- 'application-autoscaling:*'
- 'autoscaling:*'
- 'cloudfront:*'
- 'cloudwatch:*'
- 'elasticache:*'
- 'elasticloadbalancing:*'
- 'events:*'
- 'route53:*'
- 'sns:*'
- 'sqs:*'
- 's3:*'
- 'dynamodb:*'
- 'xray:*'
- 'cognito-idp:*'
Resource: '*'
Roles:
- !Ref DeploymentRole
-
鉴于策略具有对 s3 的完全访问权限,我希望部署能够完成,但它失败并显示以下错误消息:
lerna notice cli v4.0.0
326 | lerna info ci enabled
327 | lerna info Executing command in 4 packages: "npm run deploy"
328 | vlncc-sns: > vlncc-sns@0.1.0 deploy
329 | vlncc-sns: > sls deploy -v
330 | tenant-mgmt-service: > tenant-mgmt-service@0.1.0 deploy
331 | tenant-mgmt-service: > sls deploy -v
332 | vlncc-sns: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
333 | vlncc-sns: - Cannot resolve variable at "provider.profile": Value not found at "opt" source
334 | vlncc-sns: From a next major it we will be communicated with a thrown error.
335 | vlncc-sns: Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
336 | vlncc-sns: More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
337 | tenant-mgmt-service: Serverless: Deprecation warning: Variables resolver reports following resolution errors:
338 | tenant-mgmt-service: - Cannot resolve variable at "provider.profile": Value not found at "opt" source,
339 | tenant-mgmt-service: - Cannot resolve variable at "provider.iamRoleStatements.0": Cannot load file from outside of service folder
340 | tenant-mgmt-service: From a next major it we will be communicated with a thrown error.
341 | tenant-mgmt-service: Set "variablesResolutionMode: 20210219" in your service config, to adapt to this behavior now
342 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
343 | vlncc-sns:
344 | vlncc-sns: Serverless Warning --------------------------------------
345 | vlncc-sns:
346 | vlncc-sns: A valid option to satisfy the declaration 'opt:profile' could not be found.
347 | vlncc-sns:
348 | vlncc-sns: Serverless: Packaging service...
349 | vlncc-sns: Serverless: Creating Stack...
350 | tenant-mgmt-service:
351 | tenant-mgmt-service: Serverless Warning --------------------------------------
352 | tenant-mgmt-service:
353 | tenant-mgmt-service: A valid option to satisfy the declaration 'opt:profile' could not be found.
354 | tenant-mgmt-service:
355 | vlncc-sns: Serverless: Checking Stack create progress...
356 | tenant-mgmt-service: Serverless: Configuration warning at 'functions.getPool.events[0].http': unrecognized property 'documentation'
357 | tenant-mgmt-service: Serverless:
358 | tenant-mgmt-service: Serverless: Learn more about configuration validation here: http://slss.io/configuration-validation
359 | tenant-mgmt-service: Serverless:
360 | tenant-mgmt-service: Serverless: Deprecation warning: Starting with version 3.0.0, following property will be replaced:
361 | tenant-mgmt-service: "provider.iamRoleStatements" -> "provider.iam.role.statements"
362 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#PROVIDER_IAM_SETTINGS
363 | tenant-mgmt-service: Serverless: Deprecation warning: Resolution of lambda version hashes was improved with better algorithm, which will be used in next major release.
364 | tenant-mgmt-service: Switch to it now by setting "provider.lambdaHashingVersion" to "20201221"
365 | tenant-mgmt-service: More Info: https://www.serverless.com/framework/docs/deprecations/#LAMBDA_HASHING_VERSION_V2
366 | tenant-mgmt-service: Serverless: Using configuration:
367 | tenant-mgmt-service: {
368 | tenant-mgmt-service: "packager": "npm",
369 | tenant-mgmt-service: "packagerOptions": {},
370 | tenant-mgmt-service: "webpackConfig": "../../node_modules/serverless-bundle/src/webpack.config.js",
371 | tenant-mgmt-service: "includeModules": {
372 | tenant-mgmt-service: "forceExclude": [
373 | tenant-mgmt-service: "aws-sdk"
374 | tenant-mgmt-service: ],
375 | tenant-mgmt-service: "forceInclude": null,
376 | tenant-mgmt-service: "packagePath": "package.json"
377 | tenant-mgmt-service: },
378 | tenant-mgmt-service: "keepOutputDirectory": false
379 | tenant-mgmt-service: }
380 | tenant-mgmt-service: Serverless: Removing /codebuild/output/src181728188/src/services/tenant-mgmt-service/.webpack
381 | tenant-mgmt-service: Serverless: Bundling with Webpack...
382 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
383 | vlncc-sns: CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
384 | vlncc-sns: CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
385 | vlncc-sns: CloudFormation - DELETE_IN_PROGRESS - AWS::CloudFormation::Stack - vlncc-sns-sandbox
386 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
387 | vlncc-sns: CloudFormation - DELETE_COMPLETE - AWS::CloudFormation::Stack - vlncc-sns-sandbox
388 | vlncc-sns: Serverless: Operation failed!
389 | vlncc-sns: Serverless: View the full error output: https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-west-2%3A074808352032%3Astack%2Fvlncc-sns-sandbox%2F99468730-85f5-11eb-9aea-069c3947cedb
390 | vlncc-sns:
391 | vlncc-sns: Serverless Error ----------------------------------------
392 | vlncc-sns:
393 | vlncc-sns: An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
394 | vlncc-sns:
395 | vlncc-sns: Get Support --------------------------------------------
396 | vlncc-sns: Docs: docs.serverless.com
397 | vlncc-sns: Bugs: github.com/serverless/serverless/issues
398 | vlncc-sns: Issues: forum.serverless.com
399 | vlncc-sns:
400 | vlncc-sns: Your Environment Information ---------------------------
401 | vlncc-sns: Operating System: linux
402 | vlncc-sns: Node Version: 12.19.1
403 | vlncc-sns: Framework Version: 2.29.0
404 | vlncc-sns: Plugin Version: 4.5.0
405 | vlncc-sns: SDK Version: n/a
406 | vlncc-sns: Components Version: 3.7.3
407 | vlncc-sns:
408 | vlncc-sns: npm ERR! code 1
409 | vlncc-sns: npm ERR! path /codebuild/output/src181728188/src/resources/sns
410 | vlncc-sns: npm ERR! command failed
411 | vlncc-sns: npm ERR! command sh -c sls deploy -v
412 | vlncc-sns: npm ERR! A complete log of this run can be found in:
413 | vlncc-sns: npm ERR! /root/.npm/_logs/2021-03-16T01_19_15_364Z-debug.log
414 | lerna ERR! npm run deploy exited 1 in 'vlncc-sns'
415 | lerna WARN complete Waiting for 2 child processes to exit. CTRL-C to exit immediately.
416 | npm ERR! code 1
417 | npm ERR! path /codebuild/output/src181728188/src
418 | npm ERR! command failed
419 | npm ERR! command sh -c lerna run deploy --stream
420 |
421 | npm ERR! A complete log of this run can be found in:
422 | npm ERR! /root/.npm/_logs/2021-03-16T01_19_15_414Z-debug.log
423 |
424 | [Container] 2021/03/16 01:19:15 Command did not exit successfully bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh exit status 1
425 | [Container] 2021/03/16 01:19:15 Phase complete: BUILD State: FAILED
426 | [Container] 2021/03/16 01:19:15 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh. Reason: exit status 1
427 | [Container] 2021/03/16 01:19:15 Entering phase POST_BUILD
428 | [Container] 2021/03/16 01:19:15 Phase complete: POST_BUILD State: SUCCEEDED
429 | [Container] 2021/03/16 01:19:15 Phase context status code: Message:
这是为什么?我该如何解决?
应将 S3 权限添加到您的 CodeBuild (CB) 项目角色,而不是 CodePipeline (CP) 角色。原因是CB容器是实际尝试访问S3的实体,而不是CP。