AWS CodeDeploy:服务角色不能承担提供的角色

时间:2017-06-17 09:23:01

标签: amazon-web-services amazon-ec2 aws-code-deploy

我正在尝试使用我的GitHub设置CodeDeploy,但我发现了一些问题。

我创建了<html> <head> <link href="~/Content/fullcalendar.css" rel="stylesheet" /> <script type="text/javascript" src="~/Scripts/jquery-3.1.1.js"></script> <script type="text/javascript" src="~/Scripts/moment.js"></script> <script type="text/javascript" src="~/Scripts/fullcalendar.js"></script> <script type="text/javascript" src="~/Scripts/gcal.js"></script> <script type="text/javascript" src="~/Scripts/bootstrap.js"></script> <script type="text/javascript" src="~/Content/lang/tr.js"></script> </head> <body> <div id="calendar"></div> <script> $(document).ready(function () { $('#calendar').fullCalendar({ selectable: true }); }); </script> </body> </html> ,如service role政策文档中所述。

在我的代码部署应用程序创建过程中,我遇到了一个问题:

AWSCodeDeployRole

正如我所看到的,Cannot assume role provided. 的角色拥有很多自动缩放权限,但我不希望这样:

AWSCodeDeployRole

在一些谷歌搜索过程中,我发现CodeDeploy应用程序可能会遇到类似于:

的内容 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

但是当我尝试手动创建此策略时,它也会失败并显示错误:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

那么,This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies. 的预期服务角色是什么?

顺便说一句,代码部署正在我的EC2实例上运行。

3 个答案:

答案 0 :(得分:7)

嗯,根据@Michael的评论,我发现我的Trust relationships policy Service role存在一些差异。

看起来默认AWSCodeDeployRole无法正确处理Code Deploy。

要解决此问题,我已将"Service": [ "ec2.amazonaws.com"]替换为"Service": [ "codedeploy.amazonaws.com"]

它有效!

答案 1 :(得分:0)

对于那些通过 Google 找到的人 - 在我的 Cloud Formation 模板中,我将 ARN 格式化错误,并且错误没有描述性:

角色需要这样指定: arn:aws:iam::1234567890:role/CodeDeployRole 注意 :role/ 而不是 :instance-profile/

错误和上面一样,它不能承担角色,虽然是因为你指定错了。

答案 2 :(得分:0)

我正在学习教程,但它没有提到您必须编辑服务角色的信任关系。在更改以下内容之前,我遇到了与上述相同的错误。

我变了

        "Service": "codebuild.amazonaws.com"


"Service" : [
      "codedeploy.amazonaws.com",
      "codebuild.amazonaws.com"
    ]
相关问题
最新问题