我正在尝试使用云形成来创建代码管道。我的cloudformation模板创建成功。但是,创建的管道本身停留在源阶段,表明提供的角色没有访问codecommit / s3的权限。 问题是我已经将codecommit:*和s3:*策略赋予了管道角色。另外,我在运行云形成模板时正在使用用户权限,并且用户具有管理员权限。 当我从仪表板重新运行管道时,管道成功运行。在创建时自动运行,为什么会失败?
以下是我面临问题的代码:
Resources:
CodePipelineRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
- events.amazonaws.com
Action: sts:AssumeRole
Path: /
CodePipelinePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CodePipelinePolicy
PolicyDocument:
Statement:
- Action:
- iam:PassRole
Resource: "*"
Effect: Allow
Condition:
StringEqualsIfExists:
iam:PassedToService:
- cloudformation.amazonaws.com
- elasticbeanstalk.amazonaws.com
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Action:
- s3:*
- cloudwatch:*
- codecommit:*
- opsworks:*
- states:*
- appconfig:*
Resource: "*"
Effect: Allow
Version: '2012-10-17'
Roles:
- Ref: CodePipelineRole
Pipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
Type: S3
Location: !Ref S3Bucket
Name: SamplePipeline
RoleArn: !GetAtt [CodePipelineRole,Arn]
Stages:
- Name: Source
Actions:
- InputArtifacts: []
Name: Template
Region: !Ref AWS::Region
ActionTypeId:
Category: Source
Owner: AWS
Version: '1'
Provider: S3
OutputArtifacts:
- Name: template
Configuration:
S3Bucket: !Ref S3Bucket
PollForSourceChanges: 'false'
S3ObjectKey: !Sub ${NameOfArtifact}.zip
RunOrder: 1
....