【发布时间】:2020-06-13 01:07:13
【问题描述】:
上下文
这最初是一个 CodeStar 项目,后来发展成为更大的项目。我们重用了 Beanstalk 应用程序来创建 stage 和 prod 环境,并保持最初创建的 dev 环境原样。
我们更新了 CodePipeline,以使用“Elastic Beanstalk”作为提供者部署到我们的新环境。 (虽然 CodeStar 已经使用 CloudFormation 为它在 Beanstalk 应用程序中自动配置的环境设置了部署。)
问题
部署失败,因为错误提到 autoscaling:DescribeAutoScalingGroups 未被 CodePipeline 的 IAM 角色授权执行。
这是 CodePipeline 中显示的整个错误消息:
权限不足
部署失败。
提供的角色没有足够的权限:用户: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy 无权执行:自动缩放:DescribeAutoScalingGroups (服务:AmazonAutoScaling;状态代码:403;错误代码: 拒绝访问;请求 ID:905ee6ef-d75d-4cf8-b5f3-e6b16a5f6477)
服务:AmazonAutoScaling,消息:用户: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy 无权执行:autoscaling:DescribeAutoScalingGroups
未能部署应用程序。
服务:AmazonAutoScaling,消息:用户: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-on-cod-ToolChain/yyy 无权执行:autoscaling:DescribeAutoScalingGroups
IAM
这是 CodePipeline 角色的内容(又名CodeStarWorker-xxx-on-cod-ToolChain):
这里是相关的权限边界(最初由 CodeStar 生成,最终由我们更新以尝试让整个事情发挥作用):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*",
"Condition": {
"StringEquals": {
"ssm:ResourceTag/awscodestar:projectArn": "arn:aws:codestar:yyy:xxx:project/xxx-on-cod"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:CreateBucket",
"iam:PassRole",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:s3:::aws-codestar-yyy-xxx/xxx-on-cod/ssh/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx",
"arn:aws:s3:::awscodestar-remote-access-yyy/*",
"arn:aws:s3:::awscodestar-remote-access-signatures-yyy/*",
"arn:aws:iam::xxx:role/CodeStarWorker-xxx-on-cod-CloudFormation",
"arn:aws:secretsmanager:yyy:xxx:secret:xxx"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"s3:*",
"codebuild:*",
"ec2:Describe*",
"ec2:*SecurityGroup*",
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor14",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:yyy:xxx:log-group:/aws/elasticbeanstalk/*"
]
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:DescribeScalingActivities"
],
"Resource": [
"arn:aws:autoscaling:yyy:xxx:autoScalingGroup:*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"sns:Get*",
"sns:Publish",
"logs:DescribeLogGroups",
"cloudtrail:StartLogging",
"lambda:ListFunctions",
"cloudtrail:CreateTrail",
"sns:Subscribe",
"xray:Put*",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"sns:List*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8",
"arn:aws:cloudformation:yyy:xxx:stack/awseb-e-mjdwv9ptcz-stack/2d588c80-5284-11ea-a1d4-068f4db663b8/*",
"arn:aws:cloudformation:yyy:xxx:stack/awscodestar-xxx-on-cod-*",
"arn:aws:codebuild:yyy:xxx:project/xxx-on-cod",
"arn:aws:codecommit:yyy:xxx:xxx-on-codecommit",
"arn:aws:codepipeline:yyy:xxx:xxx-on-cod-Pipeline",
"arn:aws:elasticbeanstalk:yyy:xxx:*/xxx-on-cod*",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe",
"arn:aws:s3:::aws-codestar-yyy-xxx-xxx-on-cod-pipe/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-fp3mwptx9q/*",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz",
"arn:aws:s3:::elasticbeanstalk-yyy-xxx/resources/environments/e-mjdwv9ptcz/*"
]
}
]
}
管道
如您所见,我们有两个 CodeBuild,因为第一个是 CodeStar 设置的,第二个是稍微修改输出工件的一个,以便它具有正确的格式,可以直接上传到豆茎。
成功的部署是来自 CodeStar 的(使用 CloudFormation Provider),下一个是失败的部署(使用 Beanstalk Provider)。
CodeStar CodeBuild (buildspec.yml)
CloudFormation 部署使用输出工件:
version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
# Upgrade AWS CLI to the latest version
- pip install --upgrade awscli
pre_build:
commands:
- cd $CODEBUILD_SRC_DIR
- mvn clean compile test
build:
commands:
- mvn war:exploded
post_build:
commands:
- cp -r .ebextensions/ target/ROOT/
- aws cloudformation package --template template.yml --s3-bucket $S3_BUCKET --output-template-file template-export.yml
# Do not remove this statement. This command is required for AWS CodeStar projects.
# Update the AWS Partition, AWS Region, account ID and project ID in the project ARN on template-configuration.json file so AWS CloudFormation can tag project resources.
- sed -i.bak 's/\$PARTITION\$/'${PARTITION}'/g;s/\$AWS_REGION\$/'${AWS_REGION}'/g;s/\$ACCOUNT_ID\$/'${ACCOUNT_ID}'/g;s/\$PROJECT_ID\$/'${PROJECT_ID}'/g' template-configuration.json
artifacts:
type: zip
files:
- target/ROOT/**/*
- .ebextensions/**/*
- 'template-export.yml'
- 'template-configuration.json'
我们的 CodeBuild (buildspec-two.yml)
输出工件被(失败的)Beanstalk 部署使用:
# Everything up to that point is the very same as the code from above
artifacts:
type: zip
base-directory: 'target/ROOT'
files:
- ./**/*
- .ebextensions/**/*
结论
我不知道部署是如何失败的,因为权限边界和基本 IAM 角色都提到了autoscaling:DescribeAutoScalingGroups。
此外,CodeStar 环境的部署运行良好,但部署失败的特定环境来自精确复制(就配置而言)。
有什么想法吗?
(此外,最初的 dev 环境与新创建的 stage 环境一样多,甚至没有与之关联的 AutoScalingGroup ......所以我不知道为什么部署正在尝试这样做。)
(我查看了 S3 以确保部署的两个 Artefacts 具有相同的结构。)
【问题讨论】:
标签: amazon-web-services amazon-elastic-beanstalk amazon-iam aws-codepipeline aws-codebuild