0

我有以下作用,爲我CodeBuild服務,通過CloudFormationCodeBuild無法創建日誌

CodeBuildRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-codebuild' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
      Effect: Allow 
      Principal: 
      Service: codebuild.amazonaws.com 
      Action: sts:AssumeRole 
     Policies: 
     - PolicyName: !Sub '${PipelineName}-codebuild' 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Resource: 
       - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}' 
       - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*' 
       Action: 
       - 'logs:CreateLogGroup' 
       - 'logs:CreateLogStream' 
       - 'logs:PutLogEvents' 
       - Effect: Allow 
       Resource: 
        - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*' 
       Action: 
        - 's3:GetObject' 
        - 's3:GetObjectVersion' 
        - 's3:PutObject' 
       - Effect: Allow 
       Resource: 
        - !GetAtt [PipelineArtifactStore, Arn] 
       Action: 
        - 's3:PutObject' 

產生哪些錯誤與

- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}' 
- !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}/*' 

爲什麼不能CodeBuild寫日誌?

服務角色ARN:AWS:IAM :: 598xxx:角色/天網codebuild不允許 AWS CodeBuild創建構建 阿爾恩亞馬遜CloudWatch的日誌日誌流:AWS:codebuild:AP-東南-1: 598xxx:編譯/天網 - 拉姆達:544xxx-aa88945844fa。 錯誤消息:用戶: arn:aws:sts :: 598xxx:假設角色/ skynet-codebuild/AWSCodeBuild-544xxx-aa88945844fa 未被授權執行:logs:CreateLogStream on resource: arn:aws:logs:ap -southeast-1:598xxx:登錄組:/ AWS/codebuild /天網 - 拉姆達:日誌流:544xxx-aa88945844fa。 服務角色arn:aws:iam :: 598xxx:role/skynet-codebuild不允許 AWS CodeBuild創建Amazon CloudWatch Logs日誌流以生成 arn:aws:codebuild:ap-southeast-1:598xxx:build/skynet -Lambda:544xxx-aa88945844fa。 錯誤消息:用戶: arn:aws:sts :: 598xxx:假設角色/ skynet-codebuild/AWSCodeBuild-544xxx-aa88945844fa 未被授權執行:logs:CreateLogStream on resource: arn:aws:logs:ap -southeast-1:598xxx:登錄組:/ AWS/codebuild /天網 - 拉姆達:日誌流:544xxx-aa88945844fa

更新:爲參考全部cloudformation模板

AWSTemplateFormatVersion : '2010-09-09' 
Description: 'Skynet stack for CodePipeline' 

Parameters: 
    PipelineName: 
    Type: String 
    Description: Pipeline Name (Lower case only, since S3 bucket names can only have lowercase) 
    Default: skynet 
    GitHubOwner: 
    Type: String 
    Description: GitHub Owner/Username 
    GitHubRepo: 
    Type: String 
    Description: GitHub Repo 
    Default: '2359media/skynet' 
    GitHubBranch: 
    Type: String 
    Description: GitHub Branch 
    Default: master 
    GitHubToken: 
    Type: String 
    Description: GitHub Token 
    NoEcho: true 

Resources: 
    Pipeline: 
    Type: AWS::CodePipeline::Pipeline 
    Properties: 
     Name: !Ref PipelineName 
     RoleArn: !GetAtt [PipelineRole, Arn] 
     ArtifactStore: 
     Location: !Ref PipelineArtifactStore 
     Type: S3 
     DisableInboundStageTransitions: [] 
     Stages: 
     - Name: GitHubSource 
      Actions: 
      - Name: Source 
      ActionTypeId: 
       Category: Source 
       Owner: ThirdParty 
       Version: 1 
       Provider: GitHub 
      Configuration: 
       Owner: !Ref GitHubOwner 
       Repo: !Ref GitHubRepo 
       Branch: !Ref GitHubBranch 
       OAuthToken: !Ref GitHubToken 
      OutputArtifacts: 
       - Name: SourceCode 
     - Name: Build 
      Actions: 
      - Name: Lambda 
      InputArtifacts: 
       - Name: SourceCode 
      OutputArtifacts: 
       - Name: LambdaPackage 
      ActionTypeId: 
       Category: Build 
       Owner: AWS 
       Version: 1 
       Provider: CodeBuild 
      Configuration: 
       ProjectName: !Ref CodeBuildLambda 
     - Name: Deploy 
      Actions: 
      - Name: Lambda 
      InputArtifacts: 
       - Name: LambdaPackage 
      OutputArtifacts: 
       - Name: LambdaDeployment 
      ActionTypeId: 
       Category: Deploy 
       Owner: AWS 
       Version: 1 
       Provider: CloudFormation 
      Configuration: 
       ActionMode: CHANGE_SET_REPLACE 
       RoleArn: !GetAtt [CloudFormationRole, Arn] 
       StackName: !Ref AWS::StackName 
       TemplatePath: 'Template::lambda/sam.yml' 

    CodeBuildLambda: 
    Type: AWS::CodeBuild::Project 
    Properties: 
     Name: !Sub '${PipelineName}-lambda' 
     Artifacts: 
     Type: CODEPIPELINE 
     Environment: 
     ComputeType: BUILD_GENERAL1_SMALL 
     Image: aws/codebuild/nodejs:7.0.0 
     Type: LINUX_CONTAINER 
     EnvironmentVariables: 
      - Name: S3_BUCKET 
      Value: !Ref PipelineArtifactStore 
     ServiceRole: !Ref CodeBuildRole 
     Source: 
     BuildSpec: 'lambda/buildspec.yml' 
     Type: CODEPIPELINE 

    PipelineArtifactStore: 
    Type: AWS::S3::Bucket 
    Properties: 
     BucketName: !Sub '${PipelineName}-pipeline-artifacts' 
     VersioningConfiguration: 
     Status: Enabled 

    CodeBuildRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-codebuild' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
      Effect: Allow 
      Principal: 
      Service: codebuild.amazonaws.com 
      Action: sts:AssumeRole 
     Policies: 
     - PolicyName: !Sub '${PipelineName}-codebuild' 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Resource: 
       - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' 
       Action: 
       - 'logs:CreateLogGroup' 
       - 'logs:CreateLogStream' 
       - 'logs:PutLogEvents' 
       - Effect: Allow 
       Resource: 
        - !Sub 'arn:aws:s3:::codepipeline-${AWS::Region}-*/*' 
        - !Sub 
        - '${PipelineArtifactStoreArn}/*' 
        - {PipelineArtifactStoreArn: !GetAtt [PipelineArtifactStore, Arn]} 
       Action: 
        - 's3:GetObject' 
        - 's3:GetObjectVersion' 
        - 's3:PutObject' 

    CloudFormationRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-cloudformation' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
     - Effect: Allow 
      Principal: 
      Service: cloudformation.amazonaws.com 
      Action: 
      - sts:AssumeRole 
     Path:/
     ManagedPolicyArns: 
     - 'arn:aws:iam::aws:policy/AWSLambdaExecute' 
     Policies: 
     - PolicyName: !Sub '${PipelineName}-cloudformation' 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 's3:GetObject' 
       - 's3:GetObjectVersion' 
       - 's3:GetBucketVersioning' 
       - Effect: Allow 
       Resource: 'arn:aws:s3:::codepipeline*' 
       Action: 
       - 's3:PutObject' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*' 
       Action: 
       - 'lambda:*' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:apigateway:${AWS::Region}::*' 
       Action: 
       - 'apigateway:*' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:iam::${AWS::Region}:role/*' 
       Action: 
       - 'iam:GetRole' 
       - 'iam:CreateRole' 
       - 'iam:DeleteRole' 
       - 'iam:AttachRolePolicy' 
       - 'iam:DetachRolePolicy' 
       - Effect: Allow 
       Resource: '*' 
       Action: 
       - 'iam:PassRole' 
       - Effect: Allow 
       Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31' 
       Action: 
       - 'cloudformation:CreateChangeSet' 

    PipelineRole: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub '${PipelineName}-pipeline' 
     AssumeRolePolicyDocument: 
     Version: '2012-10-17' 
     Statement: 
     - Action: ['sts:AssumeRole'] 
      Effect: Allow 
      Principal: 
      Service: [codepipeline.amazonaws.com] 
     Path:/
     Policies: 
     - PolicyName: SkynetPipeline 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Action: 
       - 's3:GetObject' 
       - 's3:GetObjectVersion' 
       - 's3:GetBucketVersioning' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 's3:PutObject' 
       Effect: 'Allow' 
       Resource: 
       - !GetAtt [PipelineArtifactStore, Arn] 
       - Action: 
       - 'codecommit:CancelUploadArchive' 
       - 'codecommit:GetBranch' 
       - 'codecommit:GetCommit' 
       - 'codecommit:GetUploadArchiveStatus' 
       - 'codecommit:UploadArchive' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'codedeploy:CreateDeployment' 
       - 'codedeploy:GetApplicationRevision' 
       - 'codedeploy:GetDeployment' 
       - 'codedeploy:GetDeploymentConfig' 
       - 'codedeploy:RegisterApplicationRevision' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'elasticbeanstalk:*' 
       - 'ec2:*' 
       - 'elasticloadbalancing:*' 
       - 'autoscaling:*' 
       - 'cloudwatch:*' 
       - 's3:*' 
       - 'sns:*' 
       - 'cloudformation:*' 
       - 'rds:*' 
       - 'sqs:*' 
       - 'ecs:*' 
       - 'iam:PassRole' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'lambda:InvokeFunction' 
       - 'lambda:ListFunctions' 
       Effect: 'Allow' 
       Resource: '*' 
       - Action: 
       - 'opsworks:CreateDeployment' 
       - 'opsworks:DescribeApps' 
      - 'opsworks:DescribeCommands' 
      - 'opsworks:DescribeDeployments' 
      - 'opsworks:DescribeInstances' 
      - 'opsworks:DescribeStacks' 
      - 'opsworks:UpdateApp' 
      - 'opsworks:UpdateStack' 
      Effect: 'Allow' 
      Resource: '*' 
      - Action: 
      - 'cloudformation:CreateStack' 
      - 'cloudformation:DeleteStack' 
      - 'cloudformation:DescribeStacks' 
      - 'cloudformation:UpdateStack' 
      - 'cloudformation:CreateChangeSet' 
      - 'cloudformation:DeleteChangeSet' 
      - 'cloudformation:DescribeChangeSet' 
      - 'cloudformation:ExecuteChangeSet' 
      - 'cloudformation:SetStackPolicy' 
      - 'cloudformation:ValidateTemplate' 
      - 'iam:PassRole' 
      Effect: 'Allow' 
      Resource: '*' 
      - Action: 
      - 'codebuild:BatchGetBuilds' 
      - 'codebuild:StartBuild' 
      Effect: 'Allow' 
      Resource: '*' 

回答

2

它似乎你給的價值可能會有細微的差異角色和它所期望的價值。

看來您正在創建基於${PipelineName}-codebuild的名稱,該名稱似乎解析爲skynet-codebuild,因此基於此,您的PipelineNameskynet。在您的政策中,您可以訪問logs:CreateLogGroup獲取資源arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}。從我可以從你的錯誤應該得到的應該是arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet:log-stream:...,但實際上是arn:aws:logs:ap-southeast-1:598xxx:log-group:/aws/codebuild/skynet-lambda:log-stream:...

是否有可能您的CodeBuild項目實際上被稱爲${PipelineName}-lambda?你也許能夠解決這個問題更容易的方法之一是使用聲明的政策,如:

- Effect: Allow 
    Resource: 
    - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*' 
    - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-*/*' 
    Action: 
    - 'logs:CreateLogGroup' 
    - 'logs:CreateLogStream' 

應該讓你的CodeBuild到其中CodeBuild與PipelineName-的名字開始創建LogGroups和LogStreams。

更新:感謝您的完整CloudFormation模板。正如預期的那樣,您的CodeBuild項目名爲${PipelineName}-lambda,這就是爲什麼您的策略不匹配。如果您想授權爲該項目創建日誌,則需要用以下語句替換您的語句:

- Effect: Allow 
    Resource: 
    - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda' 
    - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${PipelineName}-lambda/*' 
    Action: 
    - 'logs:CreateLogGroup' 
    - 'logs:CreateLogStream'