2

我有一个 cloudformation 堆栈,它导出这个角色并附加了一些策略:

      CodeBuildRole:
        Type: AWS::IAM::Role
        Properties:
          RoleName: codebuild-role
          AssumeRolePolicyDocument:
            Statement:
              - Action: ['sts:AssumeRole']
                Effect: Allow
                Principal:
                  Service:
                    - codebuild.amazonaws.com
                    - codepipeline.amazonaws.com
            Version: '2012-10-17'
          Path: /
          Policies:
            - etc....

导出的角色名称是cb-remove-role-id我然后尝试将其导入另一个堆栈以供代码管道中的另一个代码构建项目使用

      BuildProjectUK:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: !Sub ${ResourceContext}-build-uk
          Description: UK build and deploy
          ServiceRole: !ImportValue cb-remove-role-id
          BadgeEnabled: false
          Artifacts:
            Type: CODEPIPELINE
          Environment:
            etc...

尝试更新后一个堆栈的模板时,我收到此错误:

调用UpdateProject失败,原因:CodeBuild无权执行:sts:AssumeRole on arn:aws:iam::xxxxxxxxx:role/xxxxxxxxx(服务:AWSCodeBuild;状态码:400;错误码:InvalidInputException;请求ID:xxxxxxxxxxxxxxxx;代理:空)

任何想法为什么会这样或我如何解决这个问题?

谢谢

4

1 回答 1

2

使用 Arn 而不是 RoleId 导出角色解决了这个问题谢谢@Marcin

输出失败:

  CodeBuildRemoveRoleId:
    Description: ID of role used by remove codebuild project
    Value: !GetAtt CodeBuildRole.RoleId
    Export:
      Name: cb-remove-role-id

传递输出:

  CodeBuildRemoveRoleId:
    Description: ID of role used by remove codebuild project
    Value: !GetAtt CodeBuildRole.Arn
    Export:
      Name: cb-remove-role-id
于 2021-02-13T19:51:20.510 回答