问题：

CodeBuild无法创建日志

孔驰

2023-03-14

通过CloudFormation生成的CodeBuild服务的角色如下

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-codebuild'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: codebuild.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub '${PipelineName}-codebuild'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}'
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*'
                Action:
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              - Effect: Allow
                Resource:
                  - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*'
                Action:
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:PutObject'
              - Effect: Allow
                Resource:
                  - !GetAtt [PipelineArtifactStore, Arn]
                Action:
                  - 's3:PutObject'

怎么了

- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}'
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*'

为什么CodeBuild不能写日志？

服务角色arn：AWS：iam：：598xxx:role/Skynet-Codebuild不允许AWS CodeBuild为构建创建Amazon CloudWatch日志日志流arn：AWS：CodeBuild：ap-southeast-1:598xxx:build/Skynet-lambda:544xxx-AA88945844fa。错误消息：用户：arn：aws：sts：：598xxx:Assumed-role/SkyNet-CodeBuild/AWScodeBuild-544xxx-AA88945844fa未被授权对资源执行：logs：createLogStream：arn：aws：logs：ap-southeast-1:598xxx:log-group：/Aws/CodeBuild/SkyNet-lambda：log-Stream:544xxx-AA88945844fa。服务角色arn：AWS：iam：：598xxx:role/Skynet-Codebuild不允许AWS CodeBuild为构建创建Amazon CloudWatch日志日志流arn：AWS：CodeBuild：ap-southeast-1:598xxx:build/Skynet-lambda:544xxx-AA88945844fa。错误消息：用户：arn：aws：sts：：598xxx：Assumed-role/SkyNet-CodeBuild/AWScodeBuild-544xxx-AA88945844fa未被授权对资源执行：logs：CreateLogStream：arn：aws：logs：ap-southeast-1:598xxx：log-group：/Aws/CodeBuild/SkyNet-lambda：log-Stream:544xxx-AA88945844fa

更新：完整的cloudformation模板供参考

AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet stack for CodePipeline'

Parameters:
  PipelineName:
    Type: String
    Description: Pipeline Name (Lower case only, since S3 bucket names can only have lowercase)
    Default: skynet
  GitHubOwner:
    Type: String
    Description: GitHub Owner/Username
  GitHubRepo:
    Type: String
    Description: GitHub Repo
    Default: '2359media/skynet'
  GitHubBranch:
    Type: String
    Description: GitHub Branch
    Default: master
  GitHubToken:
    Type: String
    Description: GitHub Token
    NoEcho: true

Resources:
  Pipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      Name: !Ref PipelineName
      RoleArn: !GetAtt [PipelineRole, Arn]
      ArtifactStore:
        Location: !Ref PipelineArtifactStore
        Type: S3
      DisableInboundStageTransitions: []
      Stages:
        - Name: GitHubSource
          Actions:
          - Name: Source
            ActionTypeId:
              Category: Source
              Owner: ThirdParty
              Version: 1
              Provider: GitHub
            Configuration:
              Owner: !Ref GitHubOwner
              Repo: !Ref GitHubRepo
              Branch: !Ref GitHubBranch
              OAuthToken: !Ref GitHubToken
            OutputArtifacts:
              - Name: SourceCode
        - Name: Build
          Actions:
          - Name: Lambda
            InputArtifacts:
              - Name: SourceCode
            OutputArtifacts:
              - Name: LambdaPackage
            ActionTypeId:
              Category: Build
              Owner: AWS
              Version: 1
              Provider: CodeBuild
            Configuration:
              ProjectName: !Ref CodeBuildLambda
        - Name: Deploy
          Actions:
          - Name: Lambda
            InputArtifacts:
              - Name: LambdaPackage
            OutputArtifacts:
              - Name: LambdaDeployment
            ActionTypeId:
              Category: Deploy
              Owner: AWS
              Version: 1
              Provider: CloudFormation
            Configuration:
              ActionMode: CHANGE_SET_REPLACE
              RoleArn: !GetAtt [CloudFormationRole, Arn]
              StackName: !Ref AWS::StackName
              TemplatePath: 'Template::lambda/sam.yml'

  CodeBuildLambda:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Sub '${PipelineName}-lambda'
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Image: aws/codebuild/nodejs:7.0.0
        Type: LINUX_CONTAINER
        EnvironmentVariables:
          - Name: S3_BUCKET
            Value: !Ref PipelineArtifactStore
      ServiceRole: !Ref CodeBuildRole
      Source:
        BuildSpec: 'lambda/buildspec.yml'
        Type: CODEPIPELINE

  PipelineArtifactStore:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub '${PipelineName}-pipeline-artifacts'
      VersioningConfiguration:
        Status: Enabled

  CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-codebuild'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Effect: Allow
          Principal:
            Service: codebuild.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub '${PipelineName}-codebuild'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource:
                - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*'
                Action:
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              - Effect: Allow
                Resource:
                  - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*'
                  - !Sub
                    - '${PipelineArtifactStoreArn}/*'
                    - {PipelineArtifactStoreArn: !GetAtt [PipelineArtifactStore, Arn]}
                Action:
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:PutObject'

  CloudFormationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-cloudformation'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: cloudformation.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'
      Policies:
        - PolicyName: !Sub '${PipelineName}-cloudformation'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource: '*'
                Action:
                - 's3:GetObject'
                - 's3:GetObjectVersion'
                - 's3:GetBucketVersioning'
              - Effect: Allow
                Resource: 'arn:aws:s3:::codepipeline*'
                Action:
                - 's3:PutObject'
              - Effect: Allow
                Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*'
                Action:
                - 'lambda:*'
              - Effect: Allow
                Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::*'
                Action:
                - 'apigateway:*'
              - Effect: Allow
                Resource: !Sub 'arn:aws:iam::${AWS::Region}:role/*'
                Action:
                - 'iam:GetRole'
                - 'iam:CreateRole'
                - 'iam:DeleteRole'
                - 'iam:AttachRolePolicy'
                - 'iam:DetachRolePolicy'
              - Effect: Allow
                Resource: '*'
                Action:
                - 'iam:PassRole'
              - Effect: Allow
                Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31'
                Action:
                - 'cloudformation:CreateChangeSet'

  PipelineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${PipelineName}-pipeline'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action: ['sts:AssumeRole']
          Effect: Allow
          Principal:
            Service: [codepipeline.amazonaws.com]
      Path: /
      Policies:
        - PolicyName: SkynetPipeline
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                - 's3:GetObject'
                - 's3:GetObjectVersion'
                - 's3:GetBucketVersioning'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 's3:PutObject'
                Effect: 'Allow'
                Resource:
                - !GetAtt [PipelineArtifactStore, Arn]
              - Action:
                - 'codecommit:CancelUploadArchive'
                - 'codecommit:GetBranch'
                - 'codecommit:GetCommit'
                - 'codecommit:GetUploadArchiveStatus'
                - 'codecommit:UploadArchive'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'codedeploy:CreateDeployment'
                - 'codedeploy:GetApplicationRevision'
                - 'codedeploy:GetDeployment'
                - 'codedeploy:GetDeploymentConfig'
                - 'codedeploy:RegisterApplicationRevision'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'elasticbeanstalk:*'
                - 'ec2:*'
                - 'elasticloadbalancing:*'
                - 'autoscaling:*'
                - 'cloudwatch:*'
                - 's3:*'
                - 'sns:*'
                - 'cloudformation:*'
                - 'rds:*'
                - 'sqs:*'
                - 'ecs:*'
                - 'iam:PassRole'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'lambda:InvokeFunction'
                - 'lambda:ListFunctions'
                Effect: 'Allow'
                Resource: '*'
              - Action:
                - 'opsworks:CreateDeployment'
                - 'opsworks:DescribeApps'
            - 'opsworks:DescribeCommands'
            - 'opsworks:DescribeDeployments'
            - 'opsworks:DescribeInstances'
            - 'opsworks:DescribeStacks'
            - 'opsworks:UpdateApp'
            - 'opsworks:UpdateStack'
            Effect: 'Allow'
            Resource: '*'
          - Action:
            - 'cloudformation:CreateStack'
            - 'cloudformation:DeleteStack'
            - 'cloudformation:DescribeStacks'
            - 'cloudformation:UpdateStack'
            - 'cloudformation:CreateChangeSet'
            - 'cloudformation:DeleteChangeSet'
            - 'cloudformation:DescribeChangeSet'
            - 'cloudformation:ExecuteChangeSet'
            - 'cloudformation:SetStackPolicy'
            - 'cloudformation:ValidateTemplate'
            - 'iam:PassRole'
            Effect: 'Allow'
            Resource: '*'
          - Action:
            - 'codebuild:BatchGetBuilds'
            - 'codebuild:StartBuild'
            Effect: 'Allow'
            Resource: '*'

堵琨

2023-03-14

在您赋予角色的值和它所期望的值之间可能会有一些细微的差别。

您创建的角色名称似乎基于${PipelineName}-codeBuild，它似乎解析为Skynet-codeBuild，因此基于此，PipelineName为Skynet。在策略中，您将为资源arn:aws:logs:${aws::region}：${aws::accountid}：log-group:/aws/codebuild/${PipelineName}授予对logs:createLoggroup的访问权限。从您的错误中我可以得到的信息应该是arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet:log-stream:...，但实际上是arn:aws:logs:ap-southeast-1:598xxx:log-group/aws/codebuild/skynet-lambda:log-stream:...

您的CodeBuild项目是否可能实际上被称为${PipelineName}-lambda？一种可以更容易地解决这一问题的方法是在策略中使用如下语句：

- Effect: Allow
  Resource:
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*'
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*/*'
  Action:
  - 'logs:CreateLogGroup'
  - 'logs:CreateLogStream'

这将允许您的代码生成创建日志组和日志流，其中代码生成以pipelinename-的名称开头。

更新：感谢完整的CloudFormation模板。正如预期的那样，您的CodeBuild项目名为${PipelineName}-lambda，这就是您的策略不匹配的原因。如果要授权仅为该项目创建日志,则需要将语句替换为以下语句：

- Effect: Allow
  Resource:
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda'
  - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda/*'
  Action:
  - 'logs:CreateLogGroup'
  - 'logs:CreateLogStream'

CodeBuild无法创建日志

共有1个答案

相关问答

相关文章

相关阅读

相关工具

相关文档