我正在尝试执行包含以下资源的 cloudformation 堆栈:
- 代码构建项目
- Codepipeline 管道
- 所需角色
尝试执行堆栈时,失败并出现以下错误:
arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)
我使用托管策略创建了该角色,但我已经尝试过使用普通策略,但它也不起作用。
这是角色政策:
CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Resource: "*"
Effect: "Allow"
Condition: {}
Action:
- autoscaling:*
- cloudwatch:*
- cloudtrail:*
- cloudformation:*
- codebuild:*
- codecommit:*
- codedeploy:*
- codepipeline:*
- ec2:*
- ecs:*
- ecr:*
- elasticbeanstalk:*
- elasticloadbalancing:*
- iam:*
- lambda:*
- logs:*
- rds:*
- s3:*
- sns:*
- ssm:*
- sqs:*
- kms:*
这就是角色
CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${EnvironmentName}-CodePipelineRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Path: /
ManagedPolicyArns:
- !Ref CodePipelinePolicy
最让我感兴趣的是,CodePipelineRole 似乎正在尝试自行承担角色。我不明白这里会发生什么。
当我将策略的操作设置为 * 时,它起作用了!我不知道可能缺少哪些权限。
谢谢
最佳答案
这与您创建的角色(即 CodePipelineRole)的信任关系有关
转到 IAM 中的角色
选择“信任关系”选项卡...
然后编辑信任关系以包含 codepipeline
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "codepipeline.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }```
关于amazon-web-services - AWS Cloudformation 角色无权对角色执行 AssumeRole,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53436197/