AWS Codepipeline：部署失败。提供的角色没有足够的权限：无法部署应用程序

Question

我正在使用Beanstalk和Codepipeline。

在构建之前可以正常工作，但是

部署失败。所提供的角色不够 权限：无法部署应用程序。服务：AWSLogs， 消息：用户： arn：aws：sts ::: assumed-role / pipeline-role /不是 被授权执行：logs：CreateLogGroup在资源上： arn：aws：logs：ap-northeast-2 :: log-group：/aws/elasticbeanstalk/repo-env/var/log/nginx/error.log：log-stream：

发生在Beanstalk部署中。

我需要该日志组的权限吗？

我的代码管道角色是

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "opsworks:DescribeStacks",
                "devicefarm:GetRun",
                "rds:*",
                "cloudformation:CreateChangeSet",
                "autoscaling:*",
                "codebuild:BatchGetBuilds",
                "devicefarm:ScheduleRun",
                "servicecatalog:ListProvisioningArtifacts",
                "devicefarm:ListDevicePools",
                "cloudformation:UpdateStack",
                "servicecatalog:DescribeProvisioningArtifact",
                "cloudformation:DescribeChangeSet",
                "devicefarm:ListProjects",
                "cloudformation:ExecuteChangeSet",
                "sns:*",
                "lambda:ListFunctions",
                "lambda:InvokeFunction",
                "codedeploy:RegisterApplicationRevision",
                "devicefarm:CreateUpload",
                "cloudformation:*",
                "opsworks:DescribeDeployments",
                "cloudformation:DescribeStacks",
                "codecommit:GetUploadArchiveStatus",
                "cloudwatch:*",
                "cloudformation:DeleteStack",
                "opsworks:DescribeInstances",
                "ecs:*",
                "ecr:DescribeImages",
                "ec2:*",
                "codebuild:StartBuild",
                "cloudformation:ValidateTemplate",
                "opsworks:DescribeApps",
                "opsworks:UpdateStack",
                "codedeploy:CreateDeployment",
                "codedeploy:GetApplicationRevision",
                "codedeploy:GetDeploymentConfig",
                "servicecatalog:CreateProvisioningArtifact",
                "sqs:*",
                "cloudformation:DeleteChangeSet",
                "codecommit:GetCommit",
                "servicecatalog:DeleteProvisioningArtifact",
                "codedeploy:GetApplication",
                "cloudformation:SetStackPolicy",
                "codecommit:UploadArchive",
                "s3:*",
                "elasticloadbalancing:*",
                "codecommit:CancelUploadArchive",
                "devicefarm:GetUpload",
                "elasticbeanstalk:*",
                "opsworks:UpdateApp",
                "opsworks:CreateDeployment",
                "cloudformation:CreateStack",
                "servicecatalog:UpdateProduct",
                "codecommit:GetBranch",
                "codedeploy:GetDeployment",
                "opsworks:DescribeCommands"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "cloudformation.amazonaws.com",
                        "elasticbeanstalk.amazonaws.com",
                        "ec2.amazonaws.com",
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "codestar-connections:UseConnection",
            "Resource": "*"
        }
    ]
}

Answer 1

要解决此问题-在第一个块的Actions数组中添加“ logs：*”。因为这将许可表EBS授予Cloudwatch日志。

推荐-我建议您不要添加“ *”，而是根据您的要求提供最小的权限。对于这种情况-在第一个块的Actions数组中添加“ logs：CreateLogGroup”