amazon-web-services - 上传到 S3 失败并出现以下错误:访问被拒绝 - CodeStarConnections
问题描述
我正在使用 AWS Codepipeline 构建 CI/CD 管道,存储库源位于 bitbucket 上,我使用 AWS-Codestarconnections 在 bitbucket 存储库和管道之间创建连接。
管道详情如下:
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
PipelineServiceRole + 附加到它的策略是:
服务角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
源阶段失败并出现错误:
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
错误消息缺少详细信息,我不确定哪个服务正在尝试访问 s3,不应该是代码管道(在这种情况下具有 PutObject 权限)吗?
解决方案
通过将 OutputArtifactFormat 从更改为"OutputArtifactFormat": "CODE_ZIP"来 解决此问题"OutputArtifactFormat": "CODEBUILD_CLONE_REF"。
CODEBUILD_CLONE_REF - 来自控制台描述的是完整克隆,在这种情况下,AWS CodePipeline 传递有关允许后续操作执行完整 git 克隆的存储库的元数据。仅支持 AWS CodeBuild 操作。“CODE_ZIP”选项不包括关于存储库的 git 元数据
推荐阅读
- javascript - 任何图表的多点选择问题
- kubernetes - Kubectl 使用命令获取集群状态
- java - 在 TextView 中保存数据
- python - 如何在 spark 中使用 python 加载多个 mongodb 集合
- javascript - 控制何时在 HighCharts 中使用升压模式?
- zigbee - 哪种是满足我以下要求的最佳 zigbee 模式?
- sql - 使用参数的 SQL 日期查询 - Delphi
- android - 在 kotlin 中使用 SimpleXML 序列化改造 xml 响应
- django - 未提供身份验证凭据。Django Rest Framework/JWT 和 React 原生 iOS
- django - Django 自定义 cache_page 装饰器在之后唯一的第一次运行时返回错误,没关系