我已经从代码管道向导创建了一个代码构建项目,其中包含所有必需的必需选项和有效的IAM角色。我还添加了IAM角色策略,这对于访问和写入S3存储桶中的数据是必需的。我已经考虑过以下提到的访问S3的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:aws/codebuild",
"arn:aws:logs:aws/codebuild:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::pipeline”,
"arn:aws:s3::: pipeline/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
]
}
一旦启动管道,代码构建就会失败,并且出现以下提到的错误
DOWNLOAD_SOURCE Failed:
CLIENT_ERROR: symlink /codebuild/output/.../libcrypto.1.0.0.dylib: no such file or directory for primary source and source version arn:aws:s3:::codepipeline-bucketSource/Ap4g3sv.zip
我已经做了很多研究,浏览过各种AWS文档,但是找不到解决方案。
答案 0 :(得分:5)
最后,经过大量研究,我发现这仅是一个许可问题。我不得不按如下所述更改政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
添加此修改后,我的代码构建和管道开始工作。
答案 1 :(得分:3)
看起来您的策略仅提供对“管道”存储桶的访问,但不提供对“ codepipeline-bucketSource”的访问。您是否可以暂时让S3至少拥有对该角色的完全访问权限,以便我们可以调试这是否实际上是与访问相关的问题。