AWS代码构建专有网络客户端错误:意外EC2错误:未经授权的操作
我在自定义VPC和私有子网中创建了CodeBuild项目。私有子网有互联网接入,AWS控制台也确认互联网连接是针对这个代码构建项目的。我不断得到VPC_CLIENT_ERROR:意外的EC2错误:未授权的操作错误在预配阶段的构建。我的服务角色策略中一定有什么缺失,但不知道是什么。
这里是CodeBuild项目(terraform):
resource "aws_codebuild_project" "frontend" {
name = "frontend"
build_timeout = "5"
service_role = "${aws_iam_role.frontend_build.arn}"
artifacts {
type = "S3"
location = "frontend.myapp.com"
namespace_type = "NONE"
packaging = "NONE"
path = "public"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}
logs_config {
cloudwatch_logs {
group_name = "build"
stream_name = "frontend-build"
}
}
source {
type = "GITHUB"
location = "https://github.com/MyOrg/my-repo.git"
git_clone_depth = 1
report_build_status = true
auth {
type = "OAUTH"
}
}
vpc_config {
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
security_group_ids = [aws_security_group.build.id]
}
}
以下是此代码构建项目的服务角色:
resource "aws_iam_role" "frontend_build" {
name = "frontend-build"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
以下是该角色的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxx-frontend-build-logs",
"arn:aws:s3:::xxx-frontend-build-logs/*"
]
}
]
}
以下是CodeBuild项目的安全组:
resource "aws_security_group" "build" {
name = "build"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "build_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.build.id
}
共有2个答案
如果您不方便在策略中提供子网id,也可以使用StringLike
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringLike": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/*"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
}
在我看来,CodeBuild服务角色无法在VPC中创建ENI。问题似乎在于代码构建角色策略中的这一行:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872" <================= Need full ARN here
}
}
},
而不是:
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
尝试...
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
详情如下:[1]
参考文献:[1]使用基于身份的策略进行代码构建-允许代码构建访问创建VPC网络接口所需的AWS服务-https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface
-
问题内容: 我从Nexus存储库中检出了代码。我更改了帐户密码,并在文件中正确设置了密码。在执行时,我收到错误消息,说明它尝试从该存储库下载文件。 任何想法如何解决此错误?我在Maven 3.04中使用Windows 7 问题答案: 这里的问题是所使用的密码出现错字错误,由于密码中使用了字符/字母,因此很难识别。
-
我的应用程序中出现“未授权”错误。我使用的是Spring Security和oauth2。我的客户端和用户存储在数据库中。当我开始使用数据库中的客户端时,PostMan中出现了错误401。客户端正在保存到数据库中,但当我想从localhost:8080/oauth/token获取令牌访问时,仍然出现错误。以下是我的来源: 授权服务器配置: public class AuthorizationSer
-
之后,我得到以下错误: 我们使用的是restapi.php (a)我们使用的是G套件“基本版”;那有什么限制吗?(b)我们从PHP(7.0)环境中调用G-Suite API;是否有任何已知的问题,因为环境仍然标记为'(Beta)'。(c)是否有任何样例/教程可以给出解决我们问题的指针。
-
我正在尝试通过Linkedin Auth2从java web应用程序进行连接: null “client_id”和“client_secret”是我应用程序上的“客户端API”和“秘密API”。 第一个和第二个请求之间的时间少于20秒。
-
Microsoft.Graph REST.API 我试图通过https://graph.microsoft.com/v1.0/me从graph.api获得有关我的信息 我也在这里检查这个其他主题,但我找不到像我一样的错误
-
当我尝试使用以下robocopy命令将目标文件夹与源文件夹同步时: 我得到了这个错误: 客户端未持有所需的权限 即使我有权从源文件夹复制文件,我也会收到此错误消息。 我如何解决它?