3 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
After more investigation I've found the API event in CloudTrail. It's getting
{ [...]
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxxx:assumed-role/codedeploy_pipeline_xxxx_test/xxxx is not authorized to perform: codedeploy:GetApplication on resource: arn:aws:codedeploy:ap-southeast-2:xxxx:application:xxxx-test",
}
but the IAM policy document for that role contains
{
"Action": [
"codedeploy:*"
],
"Resource": "*",
"Effect": "Allow"
},
It was more restrictive but I added the wildcard to try to debug. The policy simulator says GetApplication should work.
répondu il y a 5 ans
0
After even more digging through CloudTrail I discovered the root was a missing iam:PassRole
for the ECS container role. This was present on the CodeDeploy role but not on the role passed to CodePipeline to invoke CodeDeploy. The final policy for the CodeDeploy role is
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:GetApplication",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket/*",
"Effect": "Allow"
},
{
"Action": [ "s3:ListBucket"],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"${var.deployment_kms_key_arn}"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "ecs_container_role_arn"
}
]
}
I'm going to try to lock this down some more, in particular the PassRole. The condition string used on the CodeDeploy side didn't seem to work, but I may have entered it wrong.
Edited by: phillipion on Jun 27, 2019 3:54 PM
répondu il y a 5 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a 6 mois
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an