Amazon web services 信任关系错误AssumeRole策略只能指定STS AssumeRole操作
我正在尝试添加信任关系,以允许codedeploy为我的角色工作 我有下面的jsonAmazon web services 信任关系错误AssumeRole策略只能指定STS AssumeRole操作,amazon-web-services,amazon-ec2,amazon-iam,Amazon Web Services,Amazon Ec2,Amazon Iam,我正在尝试添加信任关系,以允许codedeploy为我的角色工作 我有下面的json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com", "codedeploy.amazonaws.com"] }, "Action": ["sts:AssumeRol
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com", "codedeploy.amazonaws.com"]
},
"Action": ["sts:AssumeRole",
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
我一直得到以下错误
您在策略中混合了两个不同的概念:信任关系和IAM操作 您需要有两个不同的策略,一个用于IAM角色,如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
IAM政策的其他要求如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.amazonaws.com"
},
"Action": [
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
你有没有试过把它分成两种说法?一个用于
sts:AssumeRole
,另一个用于codedeploy:
?我尝试了这个,但出现了相同的错误{“版本”:“2012-10-17”,“语句”:[{“效果”:“允许”,“主体”:{“服务”:“ec2.amazonaws.com”},“操作”:“sts:AssumeRole”},{“效果”:“允许”,“主体”:{“Service”:“codedeploy.amazonaws.com”},“Action”:“codedeploy:*”}]}我添加了单独的策略,但在我的管道中仍然出现以下错误。此任务需要权限才能调用以下AWS服务API(取决于所选的任务选项,并非所有API都可以使用):*codedeploy:GetApplication*codedeploy:GetDeploymentGroup*codedeploy:CreateDeployment*codedeploy:GetDeployment@MicroMan看一看,您似乎需要反过来设置主体。您希望codedeploy主体使用sts:AssumeRole
,codedeploy操作使用ec2.amazonaws.com
请您发送一个示例,我不知道您的意思是什么?@MicroMan在上面的示例中,将ec2.amazonaws.com
更改为codedeploy.amazonaws.com
,将ec2.amazonaws.com
更改为此策略包含以下错误:已禁止字段主体有关IAM策略语法的详细信息,请参阅AWS IAM策略