jpr*_*aso 6 amazon-web-services aws-cloudformation amazon-iam aws-codepipeline
我正在尝试执行包含以下资源的cloudformation堆栈:
尝试执行堆栈时,它失败并显示以下错误:
arn:aws:iam :: ACCOUNT_ID:role / CodePipelineRole无权在角色arn:aws:iam :: ACCOUNT_ID:role / CodePipelineRole上执行AssumeRole(服务:AWSCodePipeline;状态代码:400;错误代码:InvalidStructureException;请求ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)
我使用托管策略创建了该角色,但是我已经尝试使用常规策略,但该策略也不起作用。
这是角色策略:
CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Resource: "*"
Effect: "Allow"
Condition: {}
Action:
- autoscaling:*
- cloudwatch:*
- cloudtrail:*
- cloudformation:*
- codebuild:*
- codecommit:*
- codedeploy:*
- codepipeline:*
- ec2:*
- ecs:*
- ecr:*
- elasticbeanstalk:*
- elasticloadbalancing:*
- iam:*
- lambda:*
- logs:*
- rds:*
- s3:*
- sns:*
- ssm:*
- sqs:*
- kms:*
这是角色
CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${EnvironmentName}-CodePipelineRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Path: /
ManagedPolicyArns:
- !Ref CodePipelinePolicy
最让我着迷的是,似乎CodePipelineRole试图对自己进行AssumeRole。我不明白这里会发生什么。
当我将策略的操作设置为*时,它就起作用了!我不知道可能缺少哪些权限。
谢谢
这与您创建的角色的信任关系有关,即 CodePipelineRole
转到 IAM 中的角色
选择信任关系选项卡...
然后编辑信任关系以包含代码管道
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}```
尝试添加sts:AssumeRole到操作列表中。
https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html
干杯
| 归档时间: |
|
| 查看次数: |
1550 次 |
| 最近记录: |