如何解决Codedeploy无法访问s3
我在帐户A 上有一个代码管道,在帐户B 上有一个代码部署组。代码部署小组启动触发器后,我看到以下错误
The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator,you can grant permissions to your users or groups by creating IAM policies.
我指的是aws提供的document,用于使用代码管道进行aws跨帐户部署,我是否需要配置除文档中提供的信息以外的任何内容?
与testcrss角色相关的政策
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"s3:Get*","s3:List*"
],"Effect": "Allow","Resource": "*"
}
]
}
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"kms:DescribeKey","kms:GenerateDataKey*","kms:Encrypt","kms:ReEncrypt*","kms:Decrypt"
],"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17","Action": [
"s3:Get*"
],"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},{
"Effect": "Allow","Action": [
"s3:ListBucket"
],"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
帐户A上的桶策略
{
"Version": "2012-10-17","Id": "SSEAndSSLPolicy","Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads","Effect": "Deny","Principal": "*","Action": "s3:PutObject","Resource": "arn:aws:s3:::AccountAbucket/*","Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},{
"Sid": "DenyInsecureConnections","Action": "s3:*","Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},{
"Sid": "","Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},"Action": [
"s3:Get*","s3:Put*"
],"Resource": "arn:aws:s3:::AccountAbucket/*"
},"Action": "s3:ListBucket","Resource": "arn:aws:s3:::AccountAbucket"
},{
"Sid": "Cross-account permissions","Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcrss"
},"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
角色testcrss的信任关系
{
"Version": "2012-10-17","Statement": [
{
"Sid": "","Principal": {
"Service": [
"codedeploy.amazonaws.com","ec2.amazonaws.com"
]
},"Action": "sts:AssumeRole"
}
]
}
解决方法
问题是添加到帐户B 的KMS密钥不正确,需要此密钥才能访问帐户A 上的s3存储桶。 KMS密钥应与帐户A
上附加到代码管道的KMS密钥相同版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。