如何解决代码管道服务权限问题

问题描述 投票:0回答:1

我正在执行跨账户部署,并且已在工具账户中创建了管道,当我运行管道时,我收到错误消息“服务角色或操作角色没有访问名为“privacy-”的 Amazon S3 存储桶所需的权限- event-processor-pipeline-km-artifactbucket-ejnoeedwqgck。更新 IAM 角色权限,然后重试。错误:Amazon S3:AccessDenied:访问被拒绝(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;请求 ID)。 :FQ3BP5KY9KDJZ5DX;S3 扩展请求 ID:d0Dms19/xoPJBPMwzPPfB0mNXjfYG4CoFZaqN2IvOFt2wivLPj7zNfGx5wosuQMdJ0Q0vxB58Oc=;代理:空)。

我尝试修改 IAM 权限但仍然没有成功。以下是政策:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codepipeline:CreatePipeline", "codepipeline:GetPipeline", "codepipeline:UpdatePipeline", "codepipeline:DeletePipeline", "codepipeline:StartPipelineExecution", "codepipeline:StopPipelineExecution", "iam:ListRoles", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "codecommit:ListRepositories", "codecommit:GetBranch", "codecommit:GetRepository", "codecommit:ListBranches", "codecommit:GetCommit", "codecommit:GetRepositoryTriggers", "codecommit:GitPull", "codecommit:UploadArchive", "codecommit:CancelUploadArchive", "codebuild:BatchGetBuilds", "codebuild:StartBuild", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "iam:PassRole", "s3:PutObject", "s3:GetBucketPolicy", "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "codepipeline:StartPipelineExecution" ], "Resource": [ "arn:aws:s3:::privacy-event-processor-pipeline-km-artifactbucket-ejnoeedwqgck", "arn:aws:s3:::privacy-event-processor-pipeline-km-artifactbucket-ejnoeedwqgck/*", "arn:aws:codecommit:us-west-2:009988776655:privacy-events-processor", "arn:aws:cloudformation:us-west-2:112233445566:stack/privacy-events-processor-pipeline/fbd3d390-938d-11ef-9870-0a41f2f17491/*", "arn:aws:codepipeline:us-west-2:112233445566:privacy-events-processor" ], "Effect": "Allow" }, { "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-west-2:112233445566:key/a087e598-256a-4c33-893d-315da1a9ee3a", "Effect": "Allow" }, { "Action": [ "s3:PutObject", "s3:GetBucketPolicy", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::privacy-event-processor-pipeline-km-artifactbucket-ejnoeedwqgck/*", "arn:aws:s3:::privacy-event-processor-pipeline-km-artifactbucket-ejnoeedwqgck" ], "Effect": "Allow" }, { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::009988776655:role/PrivacEventProcessorPipelineCodeCommitRole", "arn:aws:iam::009988776655:role/PrivacEventProcessorPipelineCloudFormationRole", "arn:aws:iam::112233445566:role/PrivacEventProcessorPipelineCloudFormationRole" ], "Effect": "Allow" } ] }
    
amazon-web-services amazon-s3 devops cicd
1个回答
0
投票
更新 IAM 策略以访问不同账户的存储桶是不够的。如果是,那么任何知道您的 AWS 账户 ID 的人都可以访问您的 AWS 资源。拥有该存储桶的帐户还必须通过存储桶策略授予其他帐户访问该存储桶的权限。

这里有一个这样做的例子。

© www.soinside.com 2019 - 2024. All rights reserved.