amazon-web-services - 适用于 UpdateEnvironment 的 AWS InsufficientPrivilegesException 但我已设置相关权限
问题描述
我想使用 GitHub Actions 设置 CI/CD,每当提交和推送新代码时,它都会在 AWS Elastic Beanstalk 中创建一个新的应用程序版本。这是工作流程.yml:
name: Build Frontend and Deploy
on:
push:
branches: [ master ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
with:
node-version: '12'
- name: Install app dependencies
run: npm install
- name: Build sapper app
run: npm run build
- name: Create ZIP deployment package
run: zip -r deploy_frontend.zip ./
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: "us-east-1"
- name: Upload package to S3 bucket
run: aws s3 cp deploy_frontend.zip s3://***-deploy-dev/
- name: Create new ElasticBeanstalk application version
run: |
aws elasticbeanstalk create-application-version \
--application-name *** \
--source-bundle S3Bucket="***",S3Key="deploy_frontend.zip" \
--version-label "ver-${{ github.sha }}" \
--description "commit-sha-${{ github.sha }}"
- name: Deploy new ElasticBeanstalk application version
run: |
aws elasticbeanstalk update-environment \
--environment-name *** \
--version-label "ver-${{ github.sha }}"
注意:我***用来隐藏应用程序和环境名称
阶段中的构建出错Deploy new ElasticBeanstalk application version。完整的错误是
Run aws elasticbeanstalk update-environment \
aws elasticbeanstalk update-environment \
--environment-name *** \
--version-label "ver-44d23ff7b95541c3527b0a7f156c1377d3fdc217"
shell: /bin/bash -e {0}
env:
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
Error: Process completed with exit code 255.
但是,我想我已经在 AWS 策略中设置了相关权限。这是 github 操作用户的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elasticbeanstalk:UpdateEnvironment",
"Resource": "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:ListPlatformBranches",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CheckDNSAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "elasticbeanstalk:*",
"Resource": [
"arn:aws:elasticbeanstalk:*:917801217495:applicationversion/*/*",
"arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*",
"arn:aws:elasticbeanstalk:us-east-1:917801217495:application/appname"
]
}
]
}
同样,我将我的应用程序名称替换为appname.
我什至在策略模拟器中尝试过,并且策略按预期工作。这里可能是什么问题?
解决方案
我按照https://documentation.codeship.com/basic/continuous-deployment/deployment-to-elastic-beanstalk/#iam-policies的指南进行操作。基本上,您还需要在所有 elastic beanstalk 的相关服务中设置权限,而不仅仅是 elastic beanstalk。
推荐阅读
- rust - 如何将 dyn FnMut 转换为自定义特征对象?
- java - Akka Streams - 为 mapAsync 定义超时
- list - 如何遍历MyBatis中的动态列表并访问列表的对象
- dataframe - 如何在 Spark 数据框中添加具有当前日期的额外列
- javascript - 试图在我的 React 应用程序中找到给定时间和当前时间的时差(以分钟为单位)
- javascript - 画布闪烁,img.src访问
- c# - 来自外部链接的 PhysicalFileResult 之后的 ASP.NET Core 重定向
- python - 使用 tensorflow 的句子相似度
- ios - 无法在 Jenkins Execute Shell 中使用 zsh/bash
- regex - 正则表达式匹配炒作之前的所有内容 - 多重匹配