amazon-cloudformation - 假定角色无权执行:route53:ListHostZonesByDomain;将 Route53 策略添加到 CodePipeline CodeBuildAction 的假定规则
问题描述
我的目标是在 subdomain.mydomain.com 上创建一个网站,指向一个 CloudFront CDN,该 CDN 分发一个运行 Express 的 Lambda,它呈现一个 S3 网站。我正在使用 AWS CDK 来执行此操作。
我有一个错误说
[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db1 is not authorized to perform: route53:ListHostedZonesByName
它的意思是:
[Error at /plants-domain]
- 调用堆栈中的错误plants-domain
User: arn:aws:sts::1234567890:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db
是在plants-pipeline
执行中与我的对象关联的假定角色的 ARNroute53.HostedZone.fromLookup()
(但它是哪个对象??)is not authorized to perform: route53:ListHostedZonesByName
假定角色需要额外的 Route53 权限
我相信此策略将允许相关对象查找托管区域:
const listHostZonesByNamePolicy = new IAM.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
effect: IAM.Effect.ALLOW,
});
使用的代码Route53.HostedZone.fromLookup()
在第一个堆栈domain.ts
中。我的另一个堆栈domain.ts
使用模板使用CodePipelineAction.CloudFormationCreateUpdateStackAction
(见下文)
domain.ts
// The addition of this zone lookup broke CDK
const zone = route53.HostedZone.fromLookup(this, 'baseZone', {
domainName: 'domain.com',
});
// Distribution I'd like to point my subdomain.domain.com to
const distribution = new CloudFront.CloudFrontWebDistribution(this, 'website-cdn', {
// more stuff goes here
});
// Create the subdomain aRecord pointing to my distribution
const aRecord = new route53.ARecord(this, 'aliasRecord', {
zone: zone,
recordName: 'subdomain',
target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
});
pipeline.ts
const pipeline = new CodePipeline.Pipeline(this, 'Pipeline', {
pipelineName: props.name,
restartExecutionOnUpdate: false,
});
// My solution to the missing AssumedRole synth error: Create a Role, add the missing Policy to it (and the Pipeline, just in case)
const buildRole = new IAM.Role(this, 'BuildRole', {
assumedBy: new IAM.ServicePrincipal('codebuild.amazonaws.com'),
path: '/',
});
const listHostZonesByNamePolicy = new IAM.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],
resources: ['*'],
effect: IAM.Effect.ALLOW,
});
buildRole.addToPrincipalPolicy(listHostZonesByNamePolicy);
pipeline.addStage({
// This is the action that fails, when it calls `cdk synth`
stageName: 'Build',
actions: [
new CodePipelineAction.CodeBuildAction({
actionName: 'CDK',
project: new CodeBuild.PipelineProject(this, 'BuildCDK', {
projectName: 'CDK',
buildSpec: CodeBuild.BuildSpec.fromSourceFilename('./aws/buildspecs/cdk.yml'),
role: buildRole, // this didn't work
}),
input: outputSources,
outputs: [outputCDK],
runOrder: 10,
role: buildRole, // this didn't work
}),
new CodePipelineAction.CodeBuildAction({
actionName: 'Assets',
// other stuff
}),
new CodePipelineAction.CodeBuildAction({
actionName: 'Render',
// other stuff
}),
]
})
pipeline.addStage({
stageName: 'Deploy',
actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
actionName: 'Domain',
templatePath: outputCDK.atPath(`${props.name}-domain.template.json`),
stackName: `${props.name}-domain`,
adminPermissions: true,
runOrder: 50,
role: buildRole, // this didn't work
}),
// other actions
]
});
不幸的是,使用上述配置,我仍然收到相同的错误:
[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-957b18fb-909d-4e22-94f0-9aa6281ddb2d is not authorized to perform: route53:ListHostedZonesByName
使用 Assumed Role ARN,是否可以追踪缺少权限的对象?还有其他方法可以解决我的 IAM/AssumedUser 角色问题吗?
解决方案
根据错误,管道角色(它将在阶段或动作中起作用......)
默认情况下,正在为管道创建一个新角色:
角色?
类型:IRole(可选,默认:将创建一个新的 IAM 角色。)
此管道要承担的 IAM 角色。
相反,当您构建管道时,请在buildRole
此处添加:
const pipeline = new CodePipeline.Pipeline(this, 'Pipeline', {
pipelineName: props.name,
restartExecutionOnUpdate: false,
role: buildRole
});
根据您的管道,您从未根据文档将角色分配给相关阶段操作:
pipeline.addStage({
stageName: 'Deploy',
actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
...
role: buildRole, // this didn't work
}),
// other actions
]
});
应该:
pipeline.addStage({
stageName: 'Deploy',
actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
....
deploymentRole: buildRole
}),
]
});
为什么它deploymentRole
而不是 just role
,没有人知道。
推荐阅读
- swift - 如何在 ARKit 中使用垂直检测?
- perl - Perl - 使用 Image::Magick
- java - SpringBoot @WebMvcTest 和 @MockBean 没有按预期工作
- sql - LIKE 中的 SQL 下划线
- javascript - 将数组中的项目作为新值动态添加到对象的最佳方法
- c# - 从 SVG (XML) 根元素中获取属性值
- silverstripe-4 - 从页面中删除默认 HtmlEditorField
- python-2.7 - 将 NUL 字符写入 csv
- html - 标题对表格没有响应?
- excel - Excel:在一个范围内带有 ISBLANK 的 IF 语句