如何解决适用于AWS CodeBuild容器输出的Terraform访问被拒绝
背景:
我正在使用一个AWS资源集合的数据管道(例如AWS胶水,雅典娜,s3等)。我正在使用Terraform在AWS CodeBuild中部署AWS资源。所有Terraform配置文件都存储在GitHub存储库中。 CodeBuild项目使用GitHub存储库作为源。
问题:
触发CodeBuild项目时,terraform apply命令用于将.tf文件配置应用于AWS资源。 terraform apply命令输出错误:
CodeBuild项目角色具有以下策略:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Resource": [
"arn:aws:logs:us-west-2:xxxxxxxxxxxx:log-group:/aws/codebuild/sparkify-CI","arn:aws:logs:us-west-2:xxxxxxxxxxxx:log-group:/aws/codebuild/sparkify-CI:*"
],"Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"
]
},{
"Effect": "Allow","Resource": [
"arn:aws:s3:::sparkify-dend-analytics"
],"Action": [
"s3:PutObject","s3:GetObject","s3:GetObjectVersion","s3:GetBucketAcl","s3:GetBucketLocation"
]
},"Action": [
"codebuild:CreateReportGroup","codebuild:CreateReport","codebuild:UpdateReport","codebuild:BatchPutTestCases","codebuild:BatchPutCodeCoverages"
],"Resource": [
"arn:aws:codebuild:us-west-2:xxxxxxxxxxxx:report-group/sparkify-CI-*"
]
},"Resource": [
"arn:aws:ec2:us-west-2:xxxxxxxxxxxx:vpc/vpc-xxxxxxxxxxxxxxxxxxx"
],"Action": [
"ec2:AcceptVpcPeeringConnection","ec2:AcceptVpcEndpointConnections","ec2:AllocateAddress","ec2:AssignIpv6Addresses","ec2:AssignPrivateIpAddresses","ec2:AssociateAddress","ec2:AssociateDhcpOptions","ec2:AssociateRouteTable","ec2:AssociateSubnetCidrBlock","ec2:AssociateVpcCidrBlock","ec2:AttachClassicLinkVpc","ec2:AttachInternetGateway","ec2:AttachNetworkInterface","ec2:AttachVpnGateway","ec2:AuthorizeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:CreateCustomerGateway","ec2:CreateDefaultSubnet","ec2:CreateDefaultVpc","ec2:CreateDhcpOptions","ec2:CreateEgressOnlyInternetGateway","ec2:CreateFlowLogs","ec2:CreateInternetGateway","ec2:CreateNatGateway","ec2:CreateNetworkAcl","ec2:CreateNetworkAclEntry","ec2:CreateNetworkInterface","ec2:CreateNetworkInterfacePermission","ec2:CreateRoute","ec2:CreateRouteTable","ec2:CreateSecurityGroup","ec2:CreateSubnet","ec2:CreateTags","ec2:CreateVpc","ec2:CreateVpcEndpoint","ec2:CreateVpcEndpointConnectionNotification","ec2:CreateVpcEndpointServiceConfiguration","ec2:CreateVpcPeeringConnection","ec2:CreateVpnConnection","ec2:CreateVpnConnectionRoute","ec2:CreateVpnGateway","ec2:DeleteCustomerGateway","ec2:DeleteDhcpOptions","ec2:DeleteEgressOnlyInternetGateway","ec2:DeleteFlowLogs","ec2:DeleteInternetGateway","ec2:DeleteNatGateway","ec2:DeleteNetworkAcl","ec2:DeleteNetworkAclEntry","ec2:DeleteNetworkInterface","ec2:DeleteNetworkInterfacePermission","ec2:DeleteRoute","ec2:DeleteRouteTable","ec2:DeleteSecurityGroup","ec2:DeleteSubnet","ec2:DeleteTags","ec2:DeleteVpc","ec2:DeleteVpcEndpoints","ec2:DeleteVpcEndpointConnectionNotifications","ec2:DeleteVpcEndpointServiceConfigurations","ec2:DeleteVpcPeeringConnection","ec2:DeleteVpnConnection","ec2:DeleteVpnConnectionRoute","ec2:DeleteVpnGateway","ec2:DescribeAccountAttributes","ec2:DescribeAddresses","ec2:DescribeAvailabilityZones","ec2:DescribeClassicLinkInstances","ec2:DescribeCustomerGateways","ec2:DescribeDhcpOptions","ec2:DescribeEgressOnlyInternetGateways","ec2:DescribeFlowLogs","ec2:DescribeInstances","ec2:DescribeInternetGateways","ec2:DescribeKeyPairs","ec2:DescribeMovingAddresses","ec2:DescribeNatGateways","ec2:DescribeNetworkAcls","ec2:DescribeNetworkInterfaceAttribute","ec2:DescribeNetworkInterfacePermissions","ec2:DescribeNetworkInterfaces","ec2:DescribePrefixLists","ec2:DescribeRouteTables","ec2:DescribeSecurityGroupReferences","ec2:DescribeSecurityGroups","ec2:DescribeStaleSecurityGroups","ec2:DescribeSubnets","ec2:DescribeTags","ec2:DescribeVpcAttribute","ec2:DescribeVpcClassicLink","ec2:DescribeVpcClassicLinkDnsSupport","ec2:DescribeVpcEndpointConnectionNotifications","ec2:DescribeVpcEndpointConnections","ec2:DescribeVpcEndpoints","ec2:DescribeVpcEndpointServiceConfigurations","ec2:DescribeVpcEndpointServicePermissions","ec2:DescribeVpcEndpointServices","ec2:DescribeVpcPeeringConnections","ec2:DescribeVpcs","ec2:DescribeVpnConnections","ec2:DescribeVpnGateways","ec2:DetachClassicLinkVpc","ec2:DetachInternetGateway","ec2:DetachNetworkInterface","ec2:DetachVpnGateway","ec2:DisableVgwRoutePropagation","ec2:DisableVpcClassicLink","ec2:DisableVpcClassicLinkDnsSupport","ec2:DisassociateAddress","ec2:DisassociateRouteTable","ec2:DisassociateSubnetCidrBlock","ec2:DisassociateVpcCidrBlock","ec2:EnableVgwRoutePropagation","ec2:EnableVpcClassicLink","ec2:EnableVpcClassicLinkDnsSupport","ec2:ModifyNetworkInterfaceAttribute","ec2:ModifySubnetAttribute","ec2:ModifyVpcAttribute","ec2:ModifyVpcEndpoint","ec2:ModifyVpcEndpointConnectionNotification","ec2:ModifyVpcEndpointServiceConfiguration","ec2:ModifyVpcEndpointServicePermissions","ec2:ModifyVpcPeeringConnectionOptions","ec2:ModifyVpcTenancy","ec2:MoveAddressToVpc","ec2:RejectVpcEndpointConnections","ec2:RejectVpcPeeringConnection","ec2:ReleaseAddress","ec2:ReplaceNetworkAclAssociation","ec2:ReplaceNetworkAclEntry","ec2:ReplaceRoute","ec2:ReplaceRouteTableAssociation","ec2:ResetNetworkInterfaceAttribute","ec2:RestoreAddressToClassic","ec2:RevokeSecurityGroupEgress","ec2:RevokeSecurityGroupIngress","ec2:UnassignIpv6Addresses","ec2:UnassignPrivateIpAddresses","ec2:UpdateSecurityGroupRuleDescriptionsEgress","ec2:UpdateSecurityGroupRuleDescriptionsIngress"
]
}
]
}
CodeBuild项目配置:
图片:aws / codebuild / amazonlinux2-x86_64-standard:2.0
环境类型:Linux
计算:3 GB内存,2个vCPU
特权:错误
环境变量:
TERRAFORM_VERSION = 0.12.28
buildspec.yml:
version: 0.2
phases:
install:
commands:
- wget https://releases.hashicorp.com/terraform/"$TERRAFORM_VERSION"/terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
- unzip terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
- rm terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
- mv terraform /usr/local/bin/
build:
commands:
- echo $CODEBUILD_WEBHOOK_TRIGGER
- BRANCH_NAME=$(echo $CODEBUILD_WEBHOOK_HEAD_REF | cut -d'/' -f 3)
- |
case $BRANCH_NAME in
dev|prod) TF_COMMAND="apply -auto-approve";; \
*) TF_COMMAND="plan";;
esac
- echo $BRANCH_NAME
- export AWS_ACCESS_KEY_ID=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
- export AWS_SECRET_ACCESS_KEY=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
- export AWS_DEFAULT_REGION="us-west-2"
- |
for service in deployment/*/; do
if [ -d "${service}/${BRANCH_NAME}/" ]; then
#get list of non-hidden directories within ${service}/${BRANCH_NAME}/
service_dir_list=$(find "${service}${BRANCH_NAME}" -type d | grep -v '/\.')
for dir in $service_dir_list; do
#if directory contains .tf or .tfvars files
if (ls ${dir}/*.tf) > /dev/null 2>&1 || (ls ${dir}/*.tfvars) > /dev/null 2>&1; then
cd $dir > /dev/null
echo ""
echo "*************** TERRAFORM INIT ******************"
echo "******* At directory: ${dir} ********"
echo "*************************************************"
terraform init
echo ""
echo "*************** TERRAFORM $TF_COMMAND ******************"
echo "******* At directory: ${dir} ********"
echo "*************************************************"
terraform $TF_COMMAND
cd - > /dev/null
else
:
# echo "No Terraform file were found in ${dir}"
fi
done
else
echo "No ${BRANCH_NAME} environment directory exists within ${dir}"
fi
done
尝试:
1。
在AWS提供程序块中使用Codebuild容器的访问权限和密钥。
如何在buildspec.yml中获取容器的凭据:
- export AWS_ACCESS_KEY_ID=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
- export AWS_SECRET_ACCESS_KEY=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
但是在CodeBuild中运行terraform apply会导致错误:
error using credentials to get account ID: error calling sts:GetCallerIdentity: InvalidClientTokenId:
The security token included in the request is invalid. status code: 403,request id: x
将AmazonVPCFullAccess添加到CodeBuild IAM角色。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。