codepipline
尝试从
codecommit
获取源代码时出现此错误
The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named defon-liff. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::665852216333:assumed-role/df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:ap-northeast-1:665852216828:defon-liff because no identity-based policy allows the codecommit:GetBranch action
我想这是因为
df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E
无法访问
CodeCommit
所以,我调查了df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E
,这个政策名为
adminPipelineRoleDefaultPolicyC79967BE
那么它有两个假设的角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::si2-s3d-91",
"arn:aws:s3:::si2-s3d-91/*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:ap-northeast-1:665852216333:key/bf3cf318-1376-44de-a014-18107XXXXXX",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::665852216333:role/df-stag-code-adminPipelinedfstagadmionbuilddfstaga-8NGM8PIRUGQ3",
"Effect": "Allow"
}
]
}
所以,我检查了df-stag-code-adminPipelinedfstagadmionsourcedfstag-1OZJ7LB64WXO2
adminPipelinedfstagadmionsourcedfstagadminsourceCodePipelineActionRoleDefaultPolicy32499DC6
{
"Action": [
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": "arn:aws:codecommit:ap-northeast-1:665852216333:defon-*",
"Effect": "Allow"
}
看起来它可以访问代码提交defon-*
我该如何解决这个问题?
我想知道错误消息
df-stag-code-adminPipelineRole8AA4BBC2-LGTJJRF5EP4E/1720168399052
1720168399052
??
codecommit:GetBranch
(以及最有可能在 adminPipelinedfstagadmionsourcedfstag 上列出的其他代码提交相关权限)添加到角色
df-stag-code-adminPipelineRole...
。别担心
1720168399052
- 这与担任该角色有关。