AWS CodeDeploy:服务角色不能承担提供的角色

Question

我正在尝试使用我的GitHub设置CodeDeploy,但我发现了一些问题.

我已经在政策service role文档中提到过了AWSCodeDeployRole.

在我的代码部署应用程序创建过程中,我遇到了一个问题:

Cannot assume role provided.

正如我所看到的,我的角色AWSCodeDeployRole拥有很多自动缩放权限,但我不希望这样:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

在一些谷歌搜索期间,我发现CodeDeploy应用程序可能期望类似于:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

但是,当我尝试手动创建此策略时,它也会失败并显示错误:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

那么,预期的服务角色是Code Deploy Application什么？

顺便说一句,代码部署正在我的EC2实例上运行.

Answer 1

那么,根据@迈克尔评论,我发现我的一些差异Trust relationships policy的Service role.

看起来默认AWSCodeDeployRole无法正确处理Code Deploy.

为了解决这个问题,我已经"Service": [ "ec2.amazonaws.com"]用"Service": [ "codedeploy.amazonaws.com"]

它的工作原理!