Amazon web services 上载到S3失败,出现以下错误:访问被拒绝-CodeStarConnections
我正在使用AWS Codepipeline构建CI/CD管道,存储库源位于bitbucket上,我使用AWS Codestarconnections在bitbucket存储库和管道之间创建连接 管道详情如下:Amazon web services 上载到S3失败,出现以下错误:访问被拒绝-CodeStarConnections,amazon-web-services,bitbucket,aws-codepipeline,Amazon Web Services,Bitbucket,Aws Codepipeline,我正在使用AWS Codepipeline构建CI/CD管道,存储库源位于bitbucket上,我使用AWS Codestarconnections在bitbucket存储库和管道之间创建连接 管道详情如下: { "pipeline": { "name": "test_pipeline", "roleArn": "arn:aws:iam::<AccountId&
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
错误消息缺少详细信息,我不确定哪个服务正在尝试访问s3,它是否应该是代码管道(在本例中,它具有PutObject权限)?通过将OutputArtifactFormat从
“OutputArtifactFormat”:“code\u ZIP”“OutputArtifactFormat”:“CODEBUILD\u CLONE\u REF”“CODE_ZIP”选项不包括关于存储库的git元数据我在使用GitHub时遇到了同样的问题
[GitHub]上载到S3失败,出现以下错误:拒绝访问(服务:Amazon S3;状态代码:403;错误代码:拒绝访问;请求ID:foo;S3扩展请求ID:bar;代理:null) "s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
此问题似乎与最近更改BitBucketSourceAction的CDK默认IAM角色有关 我发现,通过将“s3:PutObjectAcl”操作添加到列表中,我能够成功地集成BitBucketSourecAction(对于GitHub版本2连接)。注:这不需要:
- 将OutputArtifactFormat从
更改为“OutputArtifactFormat”:“code\u ZIP”
,或者“OutputArtifactFormat”:“CODEBUILD\u CLONE\u REF” - S3完全访问“S3:*”
在我与BitBucketSourceAction一起发布的上一个管道中,“s3:PutObject*”通配符操作包含在合成模板中。在查看我最新的cdk部署(使用1.91.0版)期间生成的IAM角色时,BitBucketSourceAction只有“s3:PutObject”操作(即未使用通配符)。这排除了“s3:PutObjectAcl”操作,该操作似乎是将源存储库从GitHub上载到s3并释放它以供管道中进一步使用所必需的。今天有这个确切的问题,idk为什么要解决它,但附加到
PipelineGithubRoles3:PutObjectAcls3:GetObjects3:GetObjectVersions3:PutObjects3:GetBucketVersionings3:PutObjectAcl
新的codepipeline_操作。BitBucketSourceAction({…,codeBuildCloneOutput:true}) "s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:*",
[GitHub] Upload to S3 failed with the following error: Access Denied