如何解决适用于UpdateEnvironment的AWS InsufficientPrivilegesException,但我已设置相关权限
我想使用GitHub Actions设置CI / CD,以便在提交和推送新代码时在AWS Elastic Beanstalk中创建新的应用程序版本。这是工作流程.yml
:
name: Build Frontend and Deploy
on:
push:
branches: [ master ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
with:
node-version: '12'
- name: Install app dependencies
run: npm install
- name: Build sapper app
run: npm run build
- name: Create ZIP deployment package
run: zip -r deploy_frontend.zip ./
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: "us-east-1"
- name: Upload package to S3 bucket
run: aws s3 cp deploy_frontend.zip s3://***-deploy-dev/
- name: Create new ElasticBeanstalk application version
run: |
aws elasticbeanstalk create-application-version \
--application-name *** \
--source-bundle S3Bucket="***",S3Key="deploy_frontend.zip" \
--version-label "ver-${{ github.sha }}" \
--description "commit-sha-${{ github.sha }}"
- name: Deploy new ElasticBeanstalk application version
run: |
aws elasticbeanstalk update-environment \
--environment-name *** \
--version-label "ver-${{ github.sha }}"
注意:我使用***
隐藏了应用和环境名称
该构建在Deploy new ElasticBeanstalk application version
阶段出错。完整的错误是
Run aws elasticbeanstalk update-environment \
aws elasticbeanstalk update-environment \
--environment-name *** \
--version-label "ver-44d23ff7b95541c3527b0a7f156c1377d3fdc217"
shell: /bin/bash -e {0}
env:
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
Error: Process completed with exit code 255.
但是,我认为我已经在AWS策略中设置了相关权限。这是github操作用户的政策:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": "elasticbeanstalk:UpdateEnvironment","Resource": "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*"
},{
"Sid": "VisualEditor1","Action": [
"elasticbeanstalk:ListPlatformBranches","elasticbeanstalk:DescribeAccountAttributes","elasticbeanstalk:CreateStorageLocation","elasticbeanstalk:CheckDNSAvailability"
],"Resource": "*"
},{
"Sid": "VisualEditor2","Action": "elasticbeanstalk:*","Resource": [
"arn:aws:elasticbeanstalk:*:917801217495:applicationversion/*/*","arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*","arn:aws:elasticbeanstalk:us-east-1:917801217495:application/appname"
]
}
]
}
同样,我用appname
替换了我的应用程序名称。
我什至在策略模拟器中尝试了该策略,并且该策略按预期工作。这可能是什么问题?
解决方法
我遵循了https://documentation.codeship.com/basic/continuous-deployment/deployment-to-elastic-beanstalk/#iam-policies中的指南,该指南正在运行。基本上,您还需要在所有Elastic Beanstalk相关服务中设置权限,而不仅仅是弹性Beanstalk。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。