没有授权AWS Cloudformation Role对Role执行AssumeRole [英] AWS Cloudformation Role is not authorized to perform AssumeRole on Role
问题描述
我正在尝试执行一个包含以下资源的cloudformation堆栈:
I am trying to execute a cloudformation stack which contains the following resources:
- 代码构建项目
- 代码管道管道
- 需要的角色
在尝试执行堆栈时,它失败并显示以下错误:
While trying to execute the stack, it fails with the following error:
arn:aws:iam :: ACCOUNT_ID:role/CodePipelineRole无权在角色arn:aws:iam :: ACCOUNT_ID:role/CodePipelineRole上执行AssumeRole(服务:AWSCodePipeline;状态代码:400;错误代码:InvalidStructureException;请求ID:7de2b1c6-a432-47e6-8208-2c0072ebaf4b)
arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on role arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: 7de2b1c6-a432-47e6-8208-2c0072ebaf4b)
我使用托管策略创建了该角色,但是我已经尝试使用常规策略,但这两种方法都不起作用.
I created the role using a managed policy, but I have already tried with a normal policy and it does not work neither.
这是角色策略:
CodePipelinePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'This policy grants permissions to a service role to enable Codepipeline to use multiple AWS Resources on the users behalf'
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Resource: "*"
Effect: "Allow"
Condition: {}
Action:
- autoscaling:*
- cloudwatch:*
- cloudtrail:*
- cloudformation:*
- codebuild:*
- codecommit:*
- codedeploy:*
- codepipeline:*
- ec2:*
- ecs:*
- ecr:*
- elasticbeanstalk:*
- elasticloadbalancing:*
- iam:*
- lambda:*
- logs:*
- rds:*
- s3:*
- sns:*
- ssm:*
- sqs:*
- kms:*
这是角色
CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub ${EnvironmentName}-CodePipelineRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Path: /
ManagedPolicyArns:
- !Ref CodePipelinePolicy
最让我着迷的是,似乎CodePipelineRole试图将AssumeRole赋予自身.我不明白这里会发生什么.
What intrigues me the most is that it seems like CodePipelineRole is trying to AssumeRole to itself. I'm not understanding what can be happening here.
当我将策略的操作设置为*时,它起作用了!我不知道可能会丢失哪些权限.
And when I set the policy's action to *, it works! I don't know what permissions could be missing.
谢谢
推荐答案
与您创建的角色(即CodePipelineRole)的信任关系有关
It is to do with the trust relationship for the role you have created i.e. CodePipelineRole
-
转到IAM中的角色
Go to the Role in IAM
选择信任关系"选项卡...
Select the Trust Relationships tab ...
然后编辑信任关系以包括代码管道
Then Edit Trust Relationship to include codepipeline
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codepipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}```
这篇关于没有授权AWS Cloudformation Role对Role执行AssumeRole的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!