AWS CodeDeploy:服务角色无法承担提供的角色
问题描述:
我试图用我的GitHub设置CodeDeploy,并且发现了一些问题。AWS CodeDeploy:服务角色无法承担提供的角色
我已创建service role
如文档中提到的AWSCodeDeployRole
政策。
在我的代码部署应用程序的创建过程中,我想到了一个问题:
Cannot assume role provided.
正如我所看到的,我与AWSCodeDeployRole
的角色有很多自动缩放的权限,但它预计不会对我来说:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetTags",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": "*"
}
]
}
在一些google搜索,我发现CodeDeploy应用程序可以期待类似的东西:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
但是,当我试图手动创建此策略也失败,错误:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
那么,什么是Code Deploy Application
预期的服务的角色?
顺便说一句,Code deploy正在我的EC2实例上运行。
答
那么,根据@Michael的评论,我发现Service role
的Trust relationships policy
存在一些差异。
看起来像默认AWSCodeDeployRole
无法正确处理代码部署。
要解决这个问题,我把它换成"Service": [ "ec2.amazonaws.com"]
与"Service": [ "codedeploy.amazonaws.com"]
和它的作品!
+0
不错的发现队友应该是默认的! – user25794
我相信您会将权限政策与[信任关系政策](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)混淆。它们都是策略,语法相似,但其用途不同:前者指定角色允许或拒绝的操作(例如自动缩放操作),后者指定哪些实体(委托人)可以承担角色(例如'codedeploy .amazonaws.com'服务负责人)。 –
那么,我的“服务角色”的信任关系如下所示:“{ ”版本“:”2012-10-17“, ”声明“:[ {效果}:”允许“, ” :{ “服务”: “ec2.amazonaws.com” }, “行动”: “STS:AssumeRole” } ] }' – smart
你看到这一点,您在谷歌上搜索过程中发现的政策之间的相似性? 'codedeploy'与'ec2'? –