amazon-cloudformation - 假定角色无权执行：route53:ListHostZonesByDomain；将 Route53 策略添加到 CodePipeline CodeBuildAction 的假定规则

问题描述

我的目标是在 subdomain.mydomain.com 上创建一个网站，指向一个 CloudFront CDN，该 CDN 分发一个运行 Express 的 Lambda，它呈现一个 S3 网站。我正在使用 AWS CDK 来执行此操作。

我有一个错误说

[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db1 is not authorized to perform: route53:ListHostedZonesByName

它的意思是：

• [Error at /plants-domain]- 调用堆栈中的错误plants-domain
• User: arn:aws:sts::1234567890:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db是在plants-pipeline执行中与我的对象关联的假定角色的 ARN route53.HostedZone.fromLookup()（但它是哪个对象？？）
• is not authorized to perform: route53:ListHostedZonesByName假定角色需要额外的 Route53 权限

我相信此策略将允许相关对象查找托管区域：

const listHostZonesByNamePolicy = new IAM.PolicyStatement({
  actions: ['route53:ListHostedZonesByName'],
  resources: ['*'],
  effect: IAM.Effect.ALLOW,
});

使用的代码Route53.HostedZone.fromLookup()在第一个堆栈domain.ts中。我的另一个堆栈domain.ts使用模板使用CodePipelineAction.CloudFormationCreateUpdateStackAction（见下文）

domain.ts

// The addition of this zone lookup broke CDK
const zone = route53.HostedZone.fromLookup(this, 'baseZone', {
  domainName: 'domain.com',
});

// Distribution I'd like to point my subdomain.domain.com to
const distribution = new CloudFront.CloudFrontWebDistribution(this, 'website-cdn', {
// more stuff goes here
});


// Create the subdomain aRecord pointing to my distribution
const aRecord = new route53.ARecord(this, 'aliasRecord', {
  zone: zone,
  recordName: 'subdomain',
  target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
});

pipeline.ts

const pipeline = new CodePipeline.Pipeline(this, 'Pipeline', {
  pipelineName: props.name,
  restartExecutionOnUpdate: false,
});

// My solution to the missing AssumedRole synth error: Create a Role, add the missing Policy to it (and the Pipeline, just in case)
const buildRole = new IAM.Role(this, 'BuildRole', {
  assumedBy: new IAM.ServicePrincipal('codebuild.amazonaws.com'),
  path: '/',
});

const listHostZonesByNamePolicy = new IAM.PolicyStatement({
  actions: ['route53:ListHostedZonesByName'],
  resources: ['*'],
  effect: IAM.Effect.ALLOW,
});


buildRole.addToPrincipalPolicy(listHostZonesByNamePolicy);

pipeline.addStage({
  // This is the action that fails, when it calls `cdk synth`
  stageName: 'Build',
  actions: [
    new CodePipelineAction.CodeBuildAction({
      actionName: 'CDK',
      project: new CodeBuild.PipelineProject(this, 'BuildCDK', {
        projectName: 'CDK',
        buildSpec: CodeBuild.BuildSpec.fromSourceFilename('./aws/buildspecs/cdk.yml'),
        role: buildRole, // this didn't work
      }),
      input: outputSources,
      outputs: [outputCDK],
      runOrder: 10,
      role: buildRole, // this didn't work
    }),
    new CodePipelineAction.CodeBuildAction({
       actionName: 'Assets',
      // other stuff
    }),
    new CodePipelineAction.CodeBuildAction({
      actionName: 'Render',
      // other stuff
    }),
  ]
})

pipeline.addStage({
  stageName: 'Deploy',
  actions: [
    // This is the action calling the compiled domain stack template
    new CodePipelineAction.CloudFormationCreateUpdateStackAction({
      actionName: 'Domain',
      templatePath: outputCDK.atPath(`${props.name}-domain.template.json`),
      stackName: `${props.name}-domain`,
      adminPermissions: true,
      runOrder: 50,
      role: buildRole, // this didn't work
    }),
    // other actions
  ]
});

不幸的是，使用上述配置，我仍然收到相同的错误：

[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-957b18fb-909d-4e22-94f0-9aa6281ddb2d is not authorized to perform: route53:ListHostedZonesByName

使用 Assumed Role ARN，是否可以追踪缺少权限的对象？还有其他方法可以解决我的 IAM/AssumedUser 角色问题吗？

标签： amazon-cloudformationamazon-iamamazon-route53aws-cdkaws-codebuild