我正在尝试在CI管道中使用aws cli tool将新版本的应用程序部署到elastic beanstalk:
aws elasticbeanstalk create-application-version \
--application-name "serradev dev" \
--version-label ${BUILDKITE_COMMIT} \
--source-bundle S3Bucket="${BUCKET_NAME}",S3Key="${BUILDKITE_COMMIT}.zip"
失败,并出现以下错误:
调用CreateApplicationVersion操作时发生错误(InvalidParameterCombination):无法从S3位置下载(桶:elastic-beanstalk-deploys密钥:da25301fc88a5c2908282a891fb0f80278008008a36.zip)。原因:禁止
如果将密钥替换为不存在的部署,则会收到NotFound错误。
我在存储桶上配置了以下策略
{
"Version": "2012-10-17",
"Id": "Policy1541741695771",
"Statement": [
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::185535608991:role/aws-elasticbeanstalk-service-role",
"arn:aws:iam::185535608991:role/aws-elasticbeanstalk-ec2-role"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectAcl",
"s3:GetBucketPolicy",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::elastic-beanstalk-deploys",
"arn:aws:s3:::elastic-beanstalk-deploys/*"
]
}
]
}
使用aws s3 cp命令将文件复制到存储桶:
aws s3 cp --acl=public-read ${RUN_ARTIFACT_PATH}/app.zip s3://${BUCKET_NAME}/${BUILDKITE_COMMIT}.zip
注意增加了--acl=public-read开关。
我什至将存储桶配置为具有完全公共访问权限,并通过在匿名浏览器会话中下载清单文件进行了测试。尽管所有这些权限都可用,但我仍然遇到Forbidden错误。
在这一点上,我不知道下一步该怎么做。