amazon-web-services - AWS eb create 失败 - 用户无权执行 : autoscaling

Question

我正在使用 aws 部署我的项目。我已经安装了 eb cli，并在运行 eb create 并选择默认选项时将项目上传到 S3:

Uploading udagram-myuser-dev/app-200712_154053.zip to S3. This may take a while.
Upload Complete.
Environment details for: udagram-myuser-dev-dev4
  Application name: udagram-myuser-dev
  Region: us-east-1
  Deployed Version: app-200712_154053
  Environment ID: e-kjqwp5hmec
  Platform: arn:aws:elasticbeanstalk:us-east-1::platform/Node.js 12 running on 64bit Amazon Linux 2/5.1.0
  Tier: WebServer-Standard-1.0
  CNAME: udagram-myuser-dev-dev4.us-east-1.elasticbeanstalk.com
  Updated: 2020-07-12 13:40:59.026000+00:00

但是，我收到错误:

Printing Status:
2020-07-12 13:40:57    INFO    createEnvironment is starting.
2020-07-12 13:40:59    INFO    Using elasticbeanstalk-us-east-1-087232098494 as Amazon S3 storage bucket for environment data.
2020-07-12 13:41:19    INFO    Created target group named: arn:aws:elasticloadbalancing:us-east-1:087232098494:targetgroup/awseb-AWSEB-5K4TX808XT7/debd1eceb7173e02
2020-07-12 13:41:19    INFO    Created security group named: sg-02b8b3f3c5a3f0980
2020-07-12 13:41:35    INFO    Created security group named: awseb-e-kjqwp5hmec-stack-AWSEBSecurityGroup-DR1EWHJA2HMS
2020-07-12 13:41:50    ERROR   Stack named 'awseb-e-kjqwp5hmec-stack' aborted operation. Current state: 'CREATE_FAILED'  Reason: The following resource(s) failed to create: [AWSEBV2LoadBalancer, AWSEBAutoScalingGroup]. 
2020-07-12 13:41:50    ERROR   Creating Auto Scaling group failed Reason: API: autoscaling:CreateAutoScalingGroup User: arn:aws:iam::087232098494:user/udagram-myuser-dev is not authorized to perform: autoscaling:CreateAutoScalingGroup on resource: arn:aws:autoscaling:us-east-1:087232098494:autoScalingGroup:*:autoScalingGroupName/awseb-e-kjqwp5hmec-stack-AWSEBAutoScalingGroup-1D5XFNTTBU9AM with an explicit deny
2020-07-12 13:41:50    ERROR   Creating load balancer named: arn:aws:elasticloadbalancing:us-east-1:087232098494:loadbalancer/app/awseb-AWSEB-2RDS14S53WYD/615ad3ef19b80f90 failed Reason: Resource creation cancelled
2020-07-12 13:41:52    INFO    Launched environment: udagram-myuser-dev-dev4. However, there were issues during launch. See event log for details.
                                
ERROR: ServiceError - Launched environment: udagram-myuser-dev-dev4. However, there were issues during launch. See event log for details.

我不知道为什么会收到此错误，因为 myuser 将 AWSElasticBeanstalkFullAccess 作为 IAM 权限中的策略附加。 在运行 eb status --verbose 时，我得到:

INFO: Traceback (most recent call last):
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/aws.py", line 212, in make_api_call
    response_data = operation(**operation_options)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/botocore/client.py", line 626, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.LoadBalancerNotFoundException: An error occurred (LoadBalancerNotFound) when calling the DescribeTargetGroups operation: Load balancer 'arn:aws:elasticloadbalancing:us-east-1:087232098494:loadbalancer/app/awseb-AWSEB-ULG8J44BG8P3/8d3169781c72a079' not found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/elbv2.py", line 62, in get_target_groups_for_load_balancer
    LoadBalancerArn=load_balancer_arn
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/elbv2.py", line 24, in _make_api_call
    return aws.make_api_call('elbv2', operation_name, **operation_options)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/aws.py", line 221, in make_api_call
    _handle_response_code(e.response, attempt, aggregated_error_message)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/aws.py", line 275, in _handle_response_code
    raise error
ebcli.objects.exceptions.ServiceError: Load balancer 'arn:aws:elasticloadbalancing:us-east-1:087232098494:loadbalancer/app/awseb-AWSEB-ULG8J44BG8P3/8d3169781c72a079' not found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/core/ebrun.py", line 62, in run_app
    app.run()
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/cement/core/foundation.py", line 797, in run
    return_val = self.controller._dispatch()
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/cement/core/controller.py", line 472, in _dispatch
    return func()
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/cement/core/controller.py", line 478, in _dispatch
    return func()
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/core/abstractcontroller.py", line 92, in default
    self.do_command()
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/controllers/status.py", line 30, in do_command
    statusops.status(app_name, env_name, verbose)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/operations/statusops.py", line 130, in status
    _print_information_about_elb_and_instances(env_name) if verbose else None
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/operations/statusops.py", line 190, in _print_information_about_elb_and_instances
    _print_elbv2_health_stats(load_balancer_name, instances)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/operations/statusops.py", line 197, in _print_elbv2_health_stats
    in elbv2.get_target_groups_for_load_balancer(load_balancer_name)
  File "/Users/myuser/.ebcli-virtual-env/lib/python3.7/site-packages/ebcli/lib/elbv2.py", line 65, in get_target_groups_for_load_balancer
    raise NotFoundError(e)
ebcli.objects.exceptions.NotFoundError: Load balancer 'arn:aws:elasticloadbalancing:us-east-1:087232098494:loadbalancer/app/awseb-AWSEB-ULG8J44BG8P3/8d3169781c72a079' not found

我有以下 AWS 托管默认策略:管理员访问权限、AWSElasticBeanstalkFullAccess 和 IAMUserChangePassword，以及附加的自定义组策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs",
                "s3:CreateJob",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::udagram-myuser-dev/*",
                "arn:aws:s3:::udagram-myuser-dev"
            ]
        }
    ]
}

我需要做什么才能成功部署到 AWS？

Answer 1

编辑

该帐户是类(class)的一部分，可能的原因是服务控制策略拒绝访问特定服务。

原创

错误消息表明用户已被明确拒绝执行此操作。

is not authorized to perform: autoscaling:CreateAutoScalingGroup on resource: with an explicit deny

您需要查看附加的其他策略并删除明确阻止访问的拒绝语句。

对于 AWS 权限，添加拒绝语句将始终优先于权限，即使您已添加允许语句也是如此。

有关政策评估的更多信息，请查看Policy Evaluation Logic页。