假定角色无权执行:route53:ListHostZonesByDomain;将 Route53 策略添加到 CodePipeline CodeBuildAction 的假定规则

assumed-role is not authorized to perform: route53:ListHostZonesByDomain; Adding a Route53 Policy to a CodePipeline CodeBuildAction's Assumed Rule

我的目标是在 subdomain.mydomain.com 创建一个网站,指向 CloudFront CDN 分发 Lambda 运行 Express 呈现 S3 网站。我正在使用 AWS CDK 来执行此操作。

我有一个错误说

[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db1 is not authorized to perform: route53:ListHostedZonesByName

意思是:

我相信此策略将允许相关对象查找托管区域:

const listHostZonesByNamePolicy = new IAM.PolicyStatement({
  actions: ['route53:ListHostedZonesByName'],
  resources: ['*'],
  effect: IAM.Effect.ALLOW,
});

使用Route53.HostedZone.fromLookup()的代码在第一个堆栈domain.ts中。我的其他堆栈使用 CodePipelineAction.CloudFormationCreateUpdateStackAction 使用 domain.ts 模板(见下文)

domain.ts


// The addition of this zone lookup broke CDK
const zone = route53.HostedZone.fromLookup(this, 'baseZone', {
  domainName: 'domain.com',
});

// Distribution I'd like to point my subdomain.domain.com to
const distribution = new CloudFront.CloudFrontWebDistribution(this, 'website-cdn', {
// more stuff goes here
});


// Create the subdomain aRecord pointing to my distribution
const aRecord = new route53.ARecord(this, 'aliasRecord', {
  zone: zone,
  recordName: 'subdomain',
  target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
});

pipeline.ts


const pipeline = new CodePipeline.Pipeline(this, 'Pipeline', {
  pipelineName: props.name,
  restartExecutionOnUpdate: false,
});

// My solution to the missing AssumedRole synth error: Create a Role, add the missing Policy to it (and the Pipeline, just in case)
const buildRole = new IAM.Role(this, 'BuildRole', {
  assumedBy: new IAM.ServicePrincipal('codebuild.amazonaws.com'),
  path: '/',
});

const listHostZonesByNamePolicy = new IAM.PolicyStatement({
  actions: ['route53:ListHostedZonesByName'],
  resources: ['*'],
  effect: IAM.Effect.ALLOW,
});


buildRole.addToPrincipalPolicy(listHostZonesByNamePolicy);

pipeline.addStage({
  // This is the action that fails, when it calls `cdk synth`
  stageName: 'Build',
  actions: [
    new CodePipelineAction.CodeBuildAction({
      actionName: 'CDK',
      project: new CodeBuild.PipelineProject(this, 'BuildCDK', {
        projectName: 'CDK',
        buildSpec: CodeBuild.BuildSpec.fromSourceFilename('./aws/buildspecs/cdk.yml'),
        role: buildRole, // this didn't work
      }),
      input: outputSources,
      outputs: [outputCDK],
      runOrder: 10,
      role: buildRole, // this didn't work
    }),
    new CodePipelineAction.CodeBuildAction({
       actionName: 'Assets',
      // other stuff
    }),
    new CodePipelineAction.CodeBuildAction({
      actionName: 'Render',
      // other stuff
    }),
  ]
})

pipeline.addStage({
  stageName: 'Deploy',
  actions: [
    // This is the action calling the compiled domain stack template
    new CodePipelineAction.CloudFormationCreateUpdateStackAction({
      actionName: 'Domain',
      templatePath: outputCDK.atPath(`${props.name}-domain.template.json`),
      stackName: `${props.name}-domain`,
      adminPermissions: true,
      runOrder: 50,
      role: buildRole, // this didn't work
    }),
    // other actions
  ]
});

经过以上配置,不幸的是,我仍然收到同样的错误:

[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-957b18fb-909d-4e22-94f0-9aa6281ddb2d is not authorized to perform: route53:ListHostedZonesByName

使用代入角色 ARN,是否可以追踪到缺少权限的对象?还有其他方法可以解决我的 IAM/AssumedUser 角色问题吗?

基于错误,管道角色(它会在阶段或动作中起作用...)

默认a new role is being created for the pipeline:

role?

Type: IRole (optional, default: a new IAM role will be created.)

此管道将承担的 IAM 角色。

相反,当您构建管道时,在此处添加 buildRole

const pipeline = new CodePipeline.Pipeline(this, 'Pipeline', {
  pipelineName: props.name,
  restartExecutionOnUpdate: false,
  role: buildRole
});

根据您的管道,您从未将角色分配给相关的阶段操作according to the docs

pipeline.addStage({
  stageName: 'Deploy',
  actions: [
    // This is the action calling the compiled domain stack template
    new CodePipelineAction.CloudFormationCreateUpdateStackAction({
      ...
      role: buildRole, // this didn't work
    }),
    // other actions
  ]
});

应该是:

pipeline.addStage({
  stageName: 'Deploy',
  actions: [
    // This is the action calling the compiled domain stack template
    new CodePipelineAction.CloudFormationCreateUpdateStackAction({
      ....
      deploymentRole: buildRole
    }),
  ]
});

为什么是deploymentRole而不是role,没人知道。

这里是官方doco的回答:https://docs.aws.amazon.com/cdk/api/latest/docs/pipelines-readme.html#context-lookups

TLDR: 默认情况下,管道无法进行查找 -> 2 个选项:

  • 开发机器上的合成器(确保开发机器有权限)
  • 添加查找策略

new CodePipeline(this, 'Pipeline', {
  synth: new CodeBuildStep('Synth', {
    input: // ...input...
    commands: [
      // Commands to load cdk.context.json from somewhere here
      '...',
      'npm ci',
      'npm run build',
      'npx cdk synth',
      // Commands to store cdk.context.json back here
      '...',
    ],
    rolePolicyStatements: [
      new iam.PolicyStatement({
        actions: ['sts:AssumeRole'],
        resources: ['*'],
        conditions: {
          StringEquals: {
            'iam:ResourceTag/aws-cdk:bootstrap-role': 'lookup',
          },
        },
      }),
    ],
  }),
});