如何解决假定角色无权执行:route53:ListHostZonesByDomain;将 Route53 策略添加到 CodePipeline CodeBuildAction 的假定规则
我的目标是在 subdomain.mydomain.com 创建一个指向 CloudFront CDN 的网站,该 CDN 分发运行 Express 的 Lambda,并呈现 S3 网站。我正在使用 AWS CDK 来执行此操作。
[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db1 is not authorized to perform: route53:ListHostedZonesByName
意思是:
-
[Error at /plants-domain]- 名为plants-domain的堆栈中的错误 -
User: arn:aws:sts::1234567890:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-39a582bf-8b89-447e-a6b4-b7f7f13c9db是与我在执行plants-pipeline的route53.HostedZone.fromLookup()中的对象关联的假定角色的 ARN(但它是哪个对象??) -
is not authorized to perform: route53:ListHostedZonesByName承担的角色需要额外的 Route53 权限
我相信此政策将允许相关对象查找托管区域:
const listHostZonesByNamePolicy = new IAM.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],resources: ['*'],effect: IAM.Effect.ALLOW,});
使用 Route53.HostedZone.fromLookup() 的代码位于第一个堆栈 domain.ts 中。我的另一个堆栈使用 domain.ts 使用 CodePipelineAction.CloudFormationCreateUpdateStackAction 模板(见下文)
domain.ts
// The addition of this zone lookup broke CDK
const zone = route53.HostedZone.fromLookup(this,'baseZone',{
domainName: 'domain.com',});
// distribution I'd like to point my subdomain.domain.com to
const distribution = new CloudFront.CloudFrontWebdistribution(this,'website-cdn',{
// more stuff goes here
});
// Create the subdomain aRecord pointing to my distribution
const aRecord = new route53.ARecord(this,'aliasRecord',{
zone: zone,recordName: 'subdomain',target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),});
pipeline.ts
const pipeline = new CodePipeline.Pipeline(this,'Pipeline',{
pipelineName: props.name,restartExecutionOnUpdate: false,});
// My solution to the missing AssumedRole synth error: Create a Role,add the missing Policy to it (and the Pipeline,just in case)
const buildrole = new IAM.Role(this,'buildrole',{
assumedBy: new IAM.ServicePrincipal('codebuild.amazonaws.com'),path: '/',});
const listHostZonesByNamePolicy = new IAM.PolicyStatement({
actions: ['route53:ListHostedZonesByName'],});
buildrole.addToPrincipalPolicy(listHostZonesByNamePolicy);
pipeline.addStage({
// This is the action that fails,when it calls `cdk synth`
stageName: 'Build',actions: [
new CodePipelineAction.CodeBuildAction({
actionName: 'CDK',project: new CodeBuild.PipelineProject(this,'BuildCDK',{
projectName: 'CDK',buildSpec: CodeBuild.BuildSpec.fromSourceFilename('./aws/buildspecs/cdk.yml'),role: buildrole,// this didn't work
}),input: outputSources,outputs: [outputCDK],runorder: 10,// this didn't work
}),new CodePipelineAction.CodeBuildAction({
actionName: 'Assets',// other stuff
}),new CodePipelineAction.CodeBuildAction({
actionName: 'Render',]
})
pipeline.addStage({
stageName: 'Deploy',actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
actionName: 'Domain',templatePath: outputCDK.atPath(`${props.name}-domain.template.json`),stackName: `${props.name}-domain`,adminPermissions: true,runorder: 50,// other actions
]
});
不幸的是,通过上述配置,我仍然收到相同的错误:
[Error at /plants-domain] User: arn:aws:sts::413025517373:assumed-role/plants-pipeline-BuildCDKRole0DCEDB8F-1BHVX6Z6H5X0H/AWSCodeBuild-957b18fb-909d-4e22-94f0-9aa6281ddb2d is not authorized to perform: route53:ListHostedZonesByName
使用 Assumed Role ARN,是否可以追踪缺少权限的对象?还有其他方法可以解决我的 IAM/AssumedUser 角色问题吗?
解决方法
基于错误,管道角色(它会在阶段或行动中工作......)
默认a new role is being created for the pipeline:
角色?
类型:IRole(可选,默认:将创建一个新的 IAM 角色。)
此管道要承担的 IAM 角色。
相反,当您构建管道时,请在此处添加 buildRole:
const pipeline = new CodePipeline.Pipeline(this,'Pipeline',{
pipelineName: props.name,restartExecutionOnUpdate: false,role: buildRole
});
根据您的管道,您从未将角色分配给相关的阶段操作 according to the docs:
pipeline.addStage({
stageName: 'Deploy',actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
...
role: buildRole,// this didn't work
}),// other actions
]
});
应该是:
pipeline.addStage({
stageName: 'Deploy',actions: [
// This is the action calling the compiled domain stack template
new CodePipelineAction.CloudFormationCreateUpdateStackAction({
....
deploymentRole: buildRole
}),]
});
为什么是 deploymentRole 而不是 role,没人知道。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。