Question

我有一个从Github中提取代码的代码构建项目。我正在使用cloudposse模板

开始构建时，我得到

VPC_CLIENT_ERROR：意外的EC2错误：UnauthorizedOperation

我在SO上发现了类似的问题。但就我而言，它不起作用。

这是我的Terraform政策：

data "aws_iam_policy_document" "permissions" {
  statement {
    sid = ""

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetAuthorizationToken",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
      "ecs:RunTask",
      "iam:PassRole",
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "ssm:GetParameters",
      "ec2:DescribeSubnets",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeVpcs",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DeleteNetworkInterface",
      "ec2:DetachNetworkInterface",
      "ec2:DescribeDhcpOptions",
      "ec2:CreateNetworkInterface",
      "ec2:ModifySnapshotAttribute",
      "ec2:ModifyVpcEndpointService",
      "ec2:ResetSnapshot"
    ]

    effect = "Allow"

    resources = [
      "*",
    ]
  }

  statement {
    actions = [
      "ec2:CreateNetworkInterfacePermission"
    ]

    effect = "Allow"

    condition {
      test     = "StringEquals"
      variable = "ec2:Subnet"
      values = formatlist("arn:aws:ec2:*:*:subnet/%s", var.subnet_ids)
    }

    condition {
      test = "StringEquals"
      variable = "ec2:AuthorizedService"
      values = ["codebuild.amazonaws.com"]
    }

    resources = [
      "arn:aws:ec2:*:*:network-interface/*"
    ]
  }
}

它会生成以下JSON：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "iam:PassRole",
                "ecs:RunTask",
                "ecr:UploadLayerPart",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:GetAuthorizationToken",
                "ecr:CompleteLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ec2:ResetSnapshot",
                "ec2:ModifyVpcEndpointService",
                "ec2:ModifySnapshotAttribute",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeDhcpOptions",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ec2:CreateNetworkInterfacePermission",
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:AuthorizedService": "codebuild.amazonaws.com",
                    "ec2:Subnet": [
                        "arn:aws:ec2:*:*:subnet/subnet-0d121212121212121",
                        "arn:aws:ec2:*:*:subnet/subnet-0a323232323232323",
                        "arn:aws:ec2:*:*:subnet/subnet-05454545454545454"
                    ]
                }
            }
        }
    ]
}

使它起作用的唯一方法是添加：

“ ec2：*”

我宁愿不这样做，而要细化政策。我需要添加什么政策才能使其正常工作？这让我发疯了一段时间...

Answer 1

由于子网arn中有通配符，您可以尝试将“ StringEquals”更改为“ StringLike”吗？这可能是此问题的根本原因。有关“ StringEquals”和“ StringLike”之间差异的参考，请参见：https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

谢谢！辛

CodeBuild-由于缺少EC2权限，构建失败

1 个答案: