如何解决如何从代码构建构建规范中获取 S3 对象? 拒绝访问
我有一个带有 CodeBuild 阶段的 CodePipeline 管道
这是我的构建规范:
{
"version": "0.2","phases": {
"build": {
"commands": [
"echo \"Hello,CodeBuild!\"","echo \"ca marche\" > test.txt","mkdir site-content","aws s3 sync s3://my-super-bucket-name site-content","ls - al"
]
}
},"artifacts": {
"files": [
"test.txt"
]
}
}
构建项目服务角色定义了一个默认的 cdk 生成策略,加上这个:
{
"Version": "2012-10-17","Statement": [
{
"Action": "s3:*","Resource": [
"arn:aws:s3:::my-super-bucket-name","arn:aws:s3:::my-super-bucket-name/* "
],"Effect": "Allow"
}
]
}
并且 codebuild.amazonaws.com 是角色的可信实体
在存储桶方面,我有这个存储桶策略:
{
"Version": "2012-10-17","Id": "PolicyXXXXXXXXXXXXX","Statement": [
{
"Sid": "StmtYYYYYYYYYYYYY","Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::12345678910:user/a-user-for-another-process"
},"Action": "s3:*","Resource": "arn:aws:s3:::my-super-bucket-name"
}
]
}
但是构建项目失败了:
[Container] 2021/02/03 09:57:43 Running command aws s3 sync s3://my-super-bucket-name site-content
download Failed: s3://my-super-bucket-name/test.txt to site-content/test.txt An error occurred (AccessDenied) when calling the Getobject operation: Access Denied
Completed 4 Bytes/13.7 KiB (0 Bytes/s) with 4 file(s) remaining
帮助!
编辑: 我只是将此语句添加到存储桶策略中:
{
"Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXXX:role/my-role"
},"Resource": "arn:aws:s3:::my-super-bucket-name"
}
编辑2: 傻我!它是:
"Resource": "arn:aws:s3:::my-super-bucket-name*"
现在可以了!
解决方法
您应该修改存储桶策略以授予对您的代码构建角色的显式访问权限,因为如果没有附加到存储桶的存储桶策略,则首先根据存储桶策略检查权限,然后他们会按照您尝试的方式工作。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。