CodeBuild policy error: "Not authorized to perform: ssm:GetParameters"

CodeBuild policy error: "Not authorized to perform: ssm:GetParameters"

我需要传输我在 CodeBuild 中指定的变量,但出现此错误:

Phase context status code: Decrypted Variables
Error Message: AccessDeniedException:
User: arn:aws:sts::<acc_id>:assumed-role/codebuild-image_builder-service-role/AWSCodeBuild-c892c6f5-ffba-48ec-a53f-35ddca9818a5 is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-west-1:<acc_id>:parameter/eu-west-1 because no identity-based policy allows the ssm:GetParameters action

我的 buildspec.yml 文件:

phases:
  pre_build:
    commands:
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
  build:
    commands:
      - echo Build started on `date`
      - echo Building the Docker image...          
      - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG .
      - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG      
  post_build:
    commands:
      - echo Build completed on `date`
      - echo Pushing the Docker image...
      - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG

您可以在日志中看到

not authorized to perform: ssm:GetParameters on resource:

检查您的 Codebuild 的服务角色是否具有 right/policy/permissions 访问参数存储的权限。

您可以查看此页面https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html以添加权限