Amazon web services 我可以在CodeBuild服务角色中使用aws:PrincipalTag或aws:ResourceTag吗?
我正在尝试设置一个CodeBuild服务角色,这样一个构建只能基于Amazon web services 我可以在CodeBuild服务角色中使用aws:PrincipalTag或aws:ResourceTag吗?,amazon-web-services,amazon-iam,aws-codebuild,Amazon Web Services,Amazon Iam,Aws Codebuild,我正在尝试设置一个CodeBuild服务角色,这样一个构建只能基于aws:PrincipalTag/someTag或aws:ResourceTag/someTag访问特定的资源(云监视日志、ECR等),但是该构建失败并出现访问拒绝错误(见下文) 我这样指定服务角色: { "Version": "2012-10-17", "Statement": [ { "Effect&q
aws:PrincipalTag/someTag
或aws:ResourceTag/someTag
访问特定的资源(云监视日志、ECR等),但是该构建失败并出现访问拒绝错误(见下文)
我这样指定服务角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"logs:CreateLogStream",
"ecr:BatchGetImage",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:ecr:*:111111111:repository/foo-build-images",
"arn:aws:logs:*:111111111:log-group:${aws:PrincipalTag/organization}_ci_logs:*",
"arn:aws:logs:*:111111111:log-group:${aws:PrincipalTag/organization}_ci_logs",
"arn:aws:s3:::foo-buildspecs/*"
]
}
]
}
A我也尝试过:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"logs:CreateLogStream",
"ecr:BatchGetImage",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:ecr:*:111111111:repository/foo-build-images",
"arn:aws:logs:*:111111111:log-group:${aws:ResourceTag/organization}_ci_logs:*",
"arn:aws:logs:*:111111111:log-group:${aws:ResourceTag/organization}_ci_logs",
"arn:aws:s3:::foo-buildspecs/*"
]
}
]
}
(CodeBuild项目被标记为“组织”标记,值为“ACME”)
启动生成时出现的错误是:
ACCESS_DENIED: Service role arn:aws:iam::111111111:role/codebuild-ci-role does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:us-east-1:111111111:build/acme_test_ci:21dcf438-3f0b-4bad-bf07-b931d3252c54. Error message: User: arn:aws:sts::111111111:assumed-role/codebuild-ci-role/AWSCodeBuild-21dcf438-3f0b-4bad-bf07-b931d3252c54 is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:111111111:log-group:ACME_ci_logs:log-stream:test_ci_logs/21dcf438-3f0b-4bad-bf07-b931d3252c54
这发生在构建的供应阶段
当CodeBuild承担服务角色调用云监视日志来创建日志流时,上下文中似乎既没有aws:principatag/organization
也没有aws:ResourceTag/organization
,但我还没有找到文档来证实这一点,也没有找到合适的配置