无法使用 github 操作部署 aws beantalk,出现 s3 访问被拒绝错误

Not able to use github action to deploy aws beanstalk, got s3 access denied error

我有一个 Github 操作管道,可以成功创建 S3,然后将我的 war 文件上传到那里,但是当部署到 beantalk 时,总是出现 s3 访问被拒绝的错误。下面是我的 build.yml 文件:

# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path

name: Maven Package

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - develop

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
    - uses: actions/checkout@v2
      name: Set up JDK 8

    - uses: actions/setup-java@v2
      with:
        java-version: '8'
        distribution: 'adopt'
        server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
        settings-path: ${{ github.workspace }} # location for the settings.xml file

    - name: Build with Maven
      run: mvn -B package --file pom.xml

    - name: make a new dir and upload war in there
      run: mkdir staging && cp -r target/* staging

    - uses: actions/upload-artifact@v2
      with:
        name: Package
        path: staging

    - name: list all files
      run: ls && cd target && ls

    - name: Publish to GitHub Packages Apache Maven
      run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml
      env:
        GITHUB_TOKEN: ${{ github.token }}

    - name: Deploy to EB
      uses: einaregilsson/beanstalk-deploy@v18
      with:
       aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       application_name: springbootwebapi
       environment_name: Springbootwebapi-env
       version_label: v1.0.10
       region: us-east-2
       deployment_package: target/login-0.0.2-SNAPSHOT.war

下面是来自 GitHub 操作的一些日志片段:

No existing bucket name given, creating/requesting storage location Uploading file to bucket elasticbeanstalk-us-east-2-148565102071 New build successfully uploaded to S3, bucket=elasticbeanstalk-us-east-2-148565102071, key=/springbootwebapi/v1-0-10.zip Created new application version v1.0.10 in Beanstalk. Starting deployment of version v1.0.10 to environment Springbootwebapi-env Deployment started, "wait_for_deployment" was true...

18:17:02 INFO: Environment update is starting. 18:17:06 ERROR: Service:Amazon S3, Message:Access Denied 18:17:06 ERROR: Failed to deploy application. 18:17:07 ERROR: Service:Amazon S3, Message:Access Denied: S3Bucket=elasticbeanstalk-us-east-2-148565102071, S3Key=resources/environments/e-fp5bx3gtdn/_runtime/_versions/springbootwebapi/v1.0.10 18:17:13 ERROR: Deployment failed! Current State: Version: Sample Application, Health: Red, Health Status: Degraded Error: Deployment failed: Error: Deployment failed! Current State: Version: Sample Application, Health: Red, Health Status: Degraded

不知道为什么刚上传成功就被拒绝访问

更新 1:

我已经添加了以下权限,但无法正常工作:

根据 docs,您需要附加以下策略,以便 AWS 用户能够在使用您指定的 GitHub 操作时部署您的项目:

  1. AWSElasticBeanstalkWebTier
  2. AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

添加以上内容将解决问题,同时还能确保您在使用此 GitHub 操作时不会出现未来问题。

从权限列表中删除AWSCompromisedKeyQuarantineV2后,成功。原因是这个权限实际上拒绝了用户的几个相关操作,AWSCompromisedKeyQuarantineV2详情见下面JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RequestSpotInstances",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateUser",
                "iam:DetachUserPolicy",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:SetDefaultPolicyVersion",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateLoginProfile",
                "iam:UpdateUser",
                "lambda:AddLayerVersionPermission",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:GetPolicy",
                "lambda:ListTags",
                "lambda:PutProvisionedConcurrencyConfig",
                "lambda:TagResource",
                "lambda:UntagResource",
                "lambda:UpdateFunctionCode",
                "lightsail:Create*",
                "lightsail:Delete*",
                "lightsail:DownloadDefaultKeyPair",
                "lightsail:GetInstanceAccessDetails",
                "lightsail:Start*",
                "lightsail:Update*",
                "organizations:CreateAccount",
                "organizations:CreateOrganization",
                "organizations:InviteAccountToOrganization",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketAcl",
                "s3:DeleteBucketOwnershipControls",
                "s3:DeleteBucketPolicy",
                "s3:ObjectOwnerOverrideToBucketOwner",
                "s3:PutAccountPublicAccessBlock",
                "s3:PutBucketPolicy",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}