1. 首页
  2. 问答
  3. AWS CodeDeploy:服务角色无法承担提供的角色

AWS CodeDeploy:服务角色无法承担提供的角色

2017-06-17 86 views
1

我试图用我的GitHub设置CodeDeploy,并且发现了一些问题。AWS CodeDeploy:服务角色无法承担提供的角色

我已创建service role如文档中提到的AWSCodeDeployRole政策。

在我的代码部署应用程序的创建过程中,我想到了一个问题:

Cannot assume role provided.

正如我所看到的,我与AWSCodeDeployRole的角色有很多自动缩放的权限,但它预计不会对我来说:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "autoscaling:CompleteLifecycleAction", 
     "autoscaling:DeleteLifecycleHook", 
     "autoscaling:DescribeAutoScalingGroups", 
     "autoscaling:DescribeLifecycleHooks", 
     "autoscaling:PutLifecycleHook", 
     "autoscaling:RecordLifecycleActionHeartbeat", 
     "autoscaling:CreateAutoScalingGroup", 
     "autoscaling:UpdateAutoScalingGroup", 
     "autoscaling:EnableMetricsCollection", 
     "autoscaling:DescribeAutoScalingGroups", 
     "autoscaling:DescribePolicies", 
     "autoscaling:DescribeScheduledActions", 
     "autoscaling:DescribeNotificationConfigurations", 
     "autoscaling:DescribeLifecycleHooks", 
     "autoscaling:SuspendProcesses", 
     "autoscaling:ResumeProcesses", 
     "autoscaling:AttachLoadBalancers", 
     "autoscaling:PutScalingPolicy", 
     "autoscaling:PutScheduledUpdateGroupAction", 
     "autoscaling:PutNotificationConfiguration", 
     "autoscaling:PutLifecycleHook", 
     "autoscaling:DescribeScalingActivities", 
     "autoscaling:DeleteAutoScalingGroup", 
     "ec2:DescribeInstances", 
     "ec2:DescribeInstanceStatus", 
     "ec2:TerminateInstances", 
     "tag:GetTags", 
     "tag:GetResources", 
     "sns:Publish", 
     "cloudwatch:DescribeAlarms", 
     "elasticloadbalancing:DescribeLoadBalancers", 
     "elasticloadbalancing:DescribeInstanceHealth", 
     "elasticloadbalancing:RegisterInstancesWithLoadBalancer", 
     "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" 
     ], 
     "Resource": "*" 
    } 
    ] 
}

在一些google搜索,我发现CodeDeploy应用程序可以期待类似的东西:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "", 
     "Effect": "Allow", 
     "Principal": { 
     "Service": [ 
      "codedeploy.amazonaws.com" 
     ] 
     }, 
     "Action": "sts:AssumeRole" 
    } 
    ] 
}

但是,当我试图手动创建此策略也失败,错误:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

那么,什么是Code Deploy Application预期的服务的角色?

顺便说一句,Code deploy正在我的EC2实例上运行。

来源

2017-06-17 smart

+1

我相信您会将权限政策与[信任关系政策](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html)混淆。它们都是策略,语法相似,但其用途不同:前者指定角色允许或拒绝的操作(例如自动缩放操作),后者指定哪些实体(委托人)可以承担角色(例如'codedeploy .amazonaws.com'服务负责人)。 –

+0

那么,我的“服务角色”的信任关系如下所示:“{ ”版本“:”2012-10-17“, ”声明“:[ {效果}:”允许“, ” :{ “服务”: “ec​​2.amazonaws.com” }, “行动”: “STS:AssumeRole” } ] }' – smart

+1

你看到这一点,您在谷歌上搜索过程中发现的政策之间的相似性? 'codedeploy'与'ec2'? –

回答

1

那么,根据@Michael的评论,我发现Service roleTrust relationships policy存在一些差异。

看起来像默认AWSCodeDeployRole无法正确处理代码部署。

要解决这个问题,我把它换成"Service": [ "ec2.amazonaws.com"]"Service": [ "codedeploy.amazonaws.com"]

和它的作品!

来源

2017-06-17 17:08:34 smart

+0

不错的发现队友应该是默认的! – user25794

相关问题

 相关问题