gpt4 book ai didi

amazon-web-services - AWS CodeBuild VPC_CLIENT_ERROR : Unexpected EC2 error: UnauthorizedOperation

转载 作者:行者123 更新时间:2023-12-03 16:46:13 25 4
gpt4 key购买 nike

我在自定义 VPC 和私有(private)子网中创建了 CodeBuild 项目。
私有(private)子网可以访问 Internet,AWS 控制台也确认 Internet 连接适用于此代码构建项目。我不断收到VPC_CLIENT_ERROR: Unexpected EC2 error: UnauthorizedOperation构建的“配置”阶段出错。我的服务角色政策中一定缺少某些东西,但无法弄清楚是什么。

这是 CodeBuild 项目(terraform):

resource "aws_codebuild_project" "frontend" {
name = "frontend"
build_timeout = "5"
service_role = "${aws_iam_role.frontend_build.arn}"

artifacts {
type = "S3"
location = "frontend.myapp.com"
namespace_type = "NONE"
packaging = "NONE"
path = "public"
}

environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/standard:1.0"
type = "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"

environment_variable {
name = "SOME_KEY1"
value = "SOME_VALUE1"
}
}

logs_config {
cloudwatch_logs {
group_name = "build"
stream_name = "frontend-build"
}
}

source {
type = "GITHUB"
location = "https://github.com/MyOrg/my-repo.git"
git_clone_depth = 1
report_build_status = true
auth {
type = "OAUTH"
}
}

vpc_config {
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
security_group_ids = [aws_security_group.build.id]
}
}

这是此 CodeBuild 项目的 service_role:
resource "aws_iam_role" "frontend_build" {
name = "frontend-build"

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}

这是该角色的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecs:RunTask",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxx-frontend-build-logs",
"arn:aws:s3:::xxx-frontend-build-logs/*"
]
}
]
}

这是 CodeBuild 项目的安全组:
resource "aws_security_group" "build" {
name = "build"
vpc_id = module.vpc.vpc_id
}

resource "aws_security_group_rule" "build_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.build.id
}

最佳答案

在我看来,CodeBuild 服务角色无法在 VPC 中创建 ENI。问题似乎与 CodeBuild 角色策略中的这一行有关:

{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "arn:aws:ec2:us-east-1:371508653482:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872" <================= Need full ARN here
}
}
},

代替:
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com",
"ec2:Subnet": "subnet-124641af7a83bf872"
}
}

尝试...
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:region:account-id:subnet/subnet-124641af7a83bf872"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}

详细信息:[1]

引用:
[1] 为 CodeBuild 使用基于身份的策略 - 允许 CodeBuild 访问创建 VPC 网络接口(interface)所需的 AWS 服务 - https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

关于amazon-web-services - AWS CodeBuild VPC_CLIENT_ERROR : Unexpected EC2 error: UnauthorizedOperation,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58321632/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com