Amazon web services 上载到S3失败,出现以下错误:访问被拒绝-CodeStarConnections
我正在使用AWS Codepipeline构建CI/CD管道,存储库源位于bitbucket上,我使用AWS Codestarconnections在bitbucket存储库和管道之间创建连接 管道详情如下:Amazon web services 上载到S3失败,出现以下错误:访问被拒绝-CodeStarConnections,amazon-web-services,bitbucket,aws-codepipeline,Amazon Web Services,Bitbucket,Aws Codepipeline,我正在使用AWS Codepipeline构建CI/CD管道,存储库源位于bitbucket上,我使用AWS Codestarconnections在bitbucket存储库和管道之间创建连接 管道详情如下: { "pipeline": { "name": "test_pipeline", "roleArn": "arn:aws:iam::<AccountId&
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
源阶段失败,出现错误:
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
错误消息缺少详细信息,我不确定哪个服务正在尝试访问s3,它是否应该是代码管道(在本例中,它具有PutObject权限)?通过将OutputArtifactFormat从
“OutputArtifactFormat”:“code\u ZIP”
更改为“OutputArtifactFormat”:“CODEBUILD\u CLONE\u REF”
解决了这一问题
CODEBUILD\u CLONE\u REF-控制台描述中的是完整克隆,在这种情况下
AWS CodePipeline传递有关存储库的元数据,允许后续操作执行完整的git克隆。仅支持AWS代码生成操作。
“CODE_ZIP”选项不包括关于存储库的git元数据我在使用GitHub时遇到了同样的问题
[GitHub]上载到S3失败,出现以下错误:拒绝访问(服务:Amazon S3;状态代码:403;错误代码:拒绝访问;请求ID:foo;S3扩展请求ID:bar;代理:null)
但在工件存储S3存储桶中,对象被更新
所以我将s3服务策略更改为完全访问
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
↓
此问题似乎与最近更改BitBucketSourceAction的CDK默认IAM角色有关 我发现,通过将“s3:PutObjectAcl”操作添加到列表中,我能够成功地集成BitBucketSourecAction(对于GitHub版本2连接)。注:这不需要:
- 将OutputArtifactFormat从
更改为“OutputArtifactFormat”:“code\u ZIP”
,或者“OutputArtifactFormat”:“CODEBUILD\u CLONE\u REF”
- S3完全访问“S3:*”
在我与BitBucketSourceAction一起发布的上一个管道中,“s3:PutObject*”通配符操作包含在合成模板中。在查看我最新的cdk部署(使用1.91.0版)期间生成的IAM角色时,BitBucketSourceAction只有“s3:PutObject”操作(即未使用通配符)。这排除了“s3:PutObjectAcl”操作,该操作似乎是将源存储库从GitHub上载到s3并释放它以供管道中进一步使用所必需的。今天有这个确切的问题,idk为什么要解决它,但附加到
PipelineGithubRole
的策略有两个s3语句,一个只包含List*操作,另一个包含所有读取和放置操作,因此我将它们移动到一个语句中,它开始工作。将s3:PutObjectAcl
操作权限添加到与管道存储区关联的角色策略对我来说很有效
我必须添加以下权限:
s3:GetObject
s3:GetObjectVersion
s3:PutObject
s3:GetBucketVersioning
s3:PutObjectAcl
新的codepipeline_操作。BitBucketSourceAction({…,codeBuildCloneOutput:true})
这对我很有效,即除了“s3:GetObjectAction”和“s3:PutObject”之外,只向与管道存储区关联的角色策略添加“s3:PutObjectAcl”操作权限请阅读。使用降价来正确格式化你的文章。
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:*",
[GitHub] Upload to S3 failed with the following error: Access Denied