1. 首頁
  2. 問答
  3. AWS CodeDeploy:服務角色無法承擔提供的角色

AWS CodeDeploy:服務角色無法承擔提供的角色

2017-06-17 113 views
1

我試圖用我的GitHub設置CodeDeploy,並且發現了一些問題。AWS CodeDeploy:服務角色無法承擔提供的角色

我已創建service role如文檔中提到的AWSCodeDeployRole政策。

在我的代碼部署應用程序的創建過程中,我想到了一個問題:

Cannot assume role provided.

正如我所看到的,我與AWSCodeDeployRole的角色有很多自動縮放的權限,但它預計不會對我來說:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "autoscaling:CompleteLifecycleAction", 
     "autoscaling:DeleteLifecycleHook", 
     "autoscaling:DescribeAutoScalingGroups", 
     "autoscaling:DescribeLifecycleHooks", 
     "autoscaling:PutLifecycleHook", 
     "autoscaling:RecordLifecycleActionHeartbeat", 
     "autoscaling:CreateAutoScalingGroup", 
     "autoscaling:UpdateAutoScalingGroup", 
     "autoscaling:EnableMetricsCollection", 
     "autoscaling:DescribeAutoScalingGroups", 
     "autoscaling:DescribePolicies", 
     "autoscaling:DescribeScheduledActions", 
     "autoscaling:DescribeNotificationConfigurations", 
     "autoscaling:DescribeLifecycleHooks", 
     "autoscaling:SuspendProcesses", 
     "autoscaling:ResumeProcesses", 
     "autoscaling:AttachLoadBalancers", 
     "autoscaling:PutScalingPolicy", 
     "autoscaling:PutScheduledUpdateGroupAction", 
     "autoscaling:PutNotificationConfiguration", 
     "autoscaling:PutLifecycleHook", 
     "autoscaling:DescribeScalingActivities", 
     "autoscaling:DeleteAutoScalingGroup", 
     "ec2:DescribeInstances", 
     "ec2:DescribeInstanceStatus", 
     "ec2:TerminateInstances", 
     "tag:GetTags", 
     "tag:GetResources", 
     "sns:Publish", 
     "cloudwatch:DescribeAlarms", 
     "elasticloadbalancing:DescribeLoadBalancers", 
     "elasticloadbalancing:DescribeInstanceHealth", 
     "elasticloadbalancing:RegisterInstancesWithLoadBalancer", 
     "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" 
     ], 
     "Resource": "*" 
    } 
    ] 
}

在一些google搜索,我發現CodeDeploy應用程序可以期待類似的東西:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "", 
     "Effect": "Allow", 
     "Principal": { 
     "Service": [ 
      "codedeploy.amazonaws.com" 
     ] 
     }, 
     "Action": "sts:AssumeRole" 
    } 
    ] 
}

但是,當我試圖手動創建此策略也失敗,錯誤:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

那麼,什麼是Code Deploy Application預期的服務的角色?

順便說一句,Code deploy正在我的EC2實例上運行。

來源

2017-06-17 smart

+1

我相信您會將權限政策與[信任關係政策](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)混淆。它們都是策略,語法相似,但其用途不同:前者指定角色允許或拒絕的操作(例如自動縮放操作),後者指定哪些實體(委託人)可以承擔角色(例如'codedeploy .amazonaws.com'服務負責人)。 –

+0

那麼,我的「服務角色」的信任關係如下所示:「{ 」版本「:」2012-10-17「, 」聲明「:[ {效果}:」允許「, 」 :{ 「服務」: 「ec​​2.amazonaws.com」 }, 「行動」: 「STS:AssumeRole」 } ] }' – smart

+1

你看到這一點,您在谷歌上搜索過程中發現的政策之間的相似性? 'codedeploy'與'ec2'? –

回答

1

那麼,根據@Michael的評論,我發現Service roleTrust relationships policy存在一些差異。

看起來像默認AWSCodeDeployRole無法正確處理代碼部署。

要解決這個問題,我把它換成"Service": [ "ec2.amazonaws.com"]"Service": [ "codedeploy.amazonaws.com"]

和它的作品!

來源

2017-06-17 17:08:34 smart

+0

不錯的發現隊友應該是默認的! – user25794

相關問題

 相關問題