amazon-web-services - 适用于 UpdateEnvironment 的 AWS InsufficientPrivilegesException 但我已设置相关权限

Question

我想使用 GitHub Actions 设置 CI/CD，每当提交和推送新代码时，它都会在 AWS Elastic Beanstalk 中创建一个新的应用程序版本。这是工作流程.yml：

name: Build Frontend and Deploy

on:
  push:
    branches: [ master ]

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v1
        with:
          node-version: '12'
      
      - name: Install app dependencies
        run: npm install

      - name: Build sapper app
        run: npm run build

      - name: Create ZIP deployment package
        run: zip -r deploy_frontend.zip ./

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: "us-east-1"

      - name: Upload package to S3 bucket
        run: aws s3 cp deploy_frontend.zip s3://***-deploy-dev/

      - name: Create new ElasticBeanstalk application version
        run: |
          aws elasticbeanstalk create-application-version \
          --application-name *** \
          --source-bundle S3Bucket="***",S3Key="deploy_frontend.zip" \
          --version-label "ver-${{ github.sha }}" \
          --description "commit-sha-${{ github.sha }}"
      - name: Deploy new ElasticBeanstalk application version
        run: |
          aws elasticbeanstalk update-environment \
          --environment-name *** \
          --version-label "ver-${{ github.sha }}"

注意：我***用来隐藏应用程序和环境名称

阶段中的构建出错Deploy new ElasticBeanstalk application version。完整的错误是

Run aws elasticbeanstalk update-environment \
  aws elasticbeanstalk update-environment \
  --environment-name *** \
  --version-label "ver-44d23ff7b95541c3527b0a7f156c1377d3fdc217"
  shell: /bin/bash -e {0}
  env:
    AWS_DEFAULT_REGION: us-east-1
    AWS_REGION: us-east-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***

An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
Error: Process completed with exit code 255.

但是，我想我已经在 AWS 策略中设置了相关权限。这是 github 操作用户的政策：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "elasticbeanstalk:UpdateEnvironment",
            "Resource": "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:ListPlatformBranches",
                "elasticbeanstalk:DescribeAccountAttributes",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:CheckDNSAvailability"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "elasticbeanstalk:*",
            "Resource": [
                "arn:aws:elasticbeanstalk:*:917801217495:applicationversion/*/*",
                "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*",
                "arn:aws:elasticbeanstalk:us-east-1:917801217495:application/appname"
            ]
        }
    ]
}

同样，我将我的应用程序名称替换为appname.

我什至在策略模拟器中尝试过，并且策略按预期工作。这里可能是什么问题？

Answer 1

我按照https://documentation.codeship.com/basic/continuous-deployment/deployment-to-elastic-beanstalk/#iam-policies的指南进行操作。基本上，您还需要在所有 elastic beanstalk 的相关服务中设置权限，而不仅仅是 elastic beanstalk。