Amazon web services 我可以在CodeBuild服务角色中使用aws:PrincipalTag或aws:ResourceTag吗?
我正在尝试设置一个CodeBuild服务角色,这样一个构建只能基于Amazon web services 我可以在CodeBuild服务角色中使用aws:PrincipalTag或aws:ResourceTag吗?,amazon-web-services,amazon-iam,aws-codebuild,Amazon Web Services,Amazon Iam,Aws Codebuild,我正在尝试设置一个CodeBuild服务角色,这样一个构建只能基于aws:PrincipalTag/someTag或aws:ResourceTag/someTag访问特定的资源(云监视日志、ECR等),但是该构建失败并出现访问拒绝错误(见下文) 我这样指定服务角色: { "Version": "2012-10-17", "Statement": [ { "Effect&q
aws:PrincipalTag/someTagaws:ResourceTag/someTag{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"logs:CreateLogStream",
"ecr:BatchGetImage",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:ecr:*:111111111:repository/foo-build-images",
"arn:aws:logs:*:111111111:log-group:${aws:PrincipalTag/organization}_ci_logs:*",
"arn:aws:logs:*:111111111:log-group:${aws:PrincipalTag/organization}_ci_logs",
"arn:aws:s3:::foo-buildspecs/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"logs:CreateLogStream",
"ecr:BatchGetImage",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:ecr:*:111111111:repository/foo-build-images",
"arn:aws:logs:*:111111111:log-group:${aws:ResourceTag/organization}_ci_logs:*",
"arn:aws:logs:*:111111111:log-group:${aws:ResourceTag/organization}_ci_logs",
"arn:aws:s3:::foo-buildspecs/*"
]
}
]
}
ACCESS_DENIED: Service role arn:aws:iam::111111111:role/codebuild-ci-role does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:us-east-1:111111111:build/acme_test_ci:21dcf438-3f0b-4bad-bf07-b931d3252c54. Error message: User: arn:aws:sts::111111111:assumed-role/codebuild-ci-role/AWSCodeBuild-21dcf438-3f0b-4bad-bf07-b931d3252c54 is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:111111111:log-group:ACME_ci_logs:log-stream:test_ci_logs/21dcf438-3f0b-4bad-bf07-b931d3252c54
aws:principatag/organizationaws:ResourceTag/organization