我有一个从Github中提取代码的代码构建项目。我正在使用cloudposse模板
开始构建时,我得到
VPC_CLIENT_ERROR:意外的EC2错误:UnauthorizedOperation
我在SO上发现了类似的问题。但就我而言,它不起作用。
这是我的Terraform政策:
data "aws_iam_policy_document" "permissions" {
statement {
sid = ""
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:CreateNetworkInterface",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVpcEndpointService",
"ec2:ResetSnapshot"
]
effect = "Allow"
resources = [
"*",
]
}
statement {
actions = [
"ec2:CreateNetworkInterfacePermission"
]
effect = "Allow"
condition {
test = "StringEquals"
variable = "ec2:Subnet"
values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
}
condition {
test = "StringEquals"
variable = "ec2:AuthorizedService"
values = ["codebuild.amazonaws.com"]
}
resources = [
"arn:aws:ec2:*:*:network-interface/*"
]
}
}
它会生成以下JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"iam:PassRole",
"ecs:RunTask",
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ec2:ResetSnapshot",
"ec2:ModifyVpcEndpointService",
"ec2:ModifySnapshotAttribute",
"ec2:DetachNetworkInterface",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeDhcpOptions",
"ec2:DeleteNetworkInterface",
"ec2:CreateNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
"arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
"arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
]
}
}
}
]
}
使它起作用的唯一方法是添加:
“ ec2:*”
我宁愿不这样做,而要细化政策。我需要添加什么政策才能使其正常工作?这让我发疯了一段时间...
答案 0 :(得分:3)
由于子网arn中有通配符,您可以尝试将“ StringEquals”更改为“ StringLike”吗?这可能是此问题的根本原因。 有关“ StringEquals”和“ StringLike”之间差异的参考,请参见:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
谢谢! 辛