Amazon web services AWS代码管道：部署失败。提供的角色没有足够的权限：部署应用程序失败

我正在使用Beanstalk和Codepipeline

它在构建之前工作正常，但是

部署失败。提供的角色没有足够的权限 权限：未能部署应用程序。服务：AWSLogs， 信息：用户： arn:aws:sts:：：假定角色/管道角色/不是 授权在资源上执行：日志：CreateLogGroup： arn:aws:logs:ap-northeast-2:：log group:/aws/elasticbeanstalk/repo env/var/log/nginx/error.log:log流：

在Beanstalk部署中发生

我需要日志组的权限吗

我的代码管道角色是

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "opsworks:DescribeStacks",
                "devicefarm:GetRun",
                "rds:*",
                "cloudformation:CreateChangeSet",
                "autoscaling:*",
                "codebuild:BatchGetBuilds",
                "devicefarm:ScheduleRun",
                "servicecatalog:ListProvisioningArtifacts",
                "devicefarm:ListDevicePools",
                "cloudformation:UpdateStack",
                "servicecatalog:DescribeProvisioningArtifact",
                "cloudformation:DescribeChangeSet",
                "devicefarm:ListProjects",
                "cloudformation:ExecuteChangeSet",
                "sns:*",
                "lambda:ListFunctions",
                "lambda:InvokeFunction",
                "codedeploy:RegisterApplicationRevision",
                "devicefarm:CreateUpload",
                "cloudformation:*",
                "opsworks:DescribeDeployments",
                "cloudformation:DescribeStacks",
                "codecommit:GetUploadArchiveStatus",
                "cloudwatch:*",
                "cloudformation:DeleteStack",
                "opsworks:DescribeInstances",
                "ecs:*",
                "ecr:DescribeImages",
                "ec2:*",
                "codebuild:StartBuild",
                "cloudformation:ValidateTemplate",
                "opsworks:DescribeApps",
                "opsworks:UpdateStack",
                "codedeploy:CreateDeployment",
                "codedeploy:GetApplicationRevision",
                "codedeploy:GetDeploymentConfig",
                "servicecatalog:CreateProvisioningArtifact",
                "sqs:*",
                "cloudformation:DeleteChangeSet",
                "codecommit:GetCommit",
                "servicecatalog:DeleteProvisioningArtifact",
                "codedeploy:GetApplication",
                "cloudformation:SetStackPolicy",
                "codecommit:UploadArchive",
                "s3:*",
                "elasticloadbalancing:*",
                "codecommit:CancelUploadArchive",
                "devicefarm:GetUpload",
                "elasticbeanstalk:*",
                "opsworks:UpdateApp",
                "opsworks:CreateDeployment",
                "cloudformation:CreateStack",
                "servicecatalog:UpdateProduct",
                "codecommit:GetBranch",
                "codedeploy:GetDeployment",
                "opsworks:DescribeCommands"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "cloudformation.amazonaws.com",
                        "elasticbeanstalk.amazonaws.com",
                        "ec2.amazonaws.com",
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "codestar-connections:UseConnection",
            "Resource": "*"
        }
    ]
}

---

要解决此问题，请在第一个块的操作数组中添加“logs:*”。因为这为Cloudwatch日志提供了权限表单EBS

建议-我建议不要添加“*”，而是根据您的要求提供最低权限。对于这种情况-在第一个块的Actions数组中添加“logs:CreateLogGroup”