我用下面的定义配置了IAM Role。当我配置下面的条件时,我得到了AccessDenied错误。我哪里做错了?
拒绝访问
"Condition": {
"StringEquals": {
"gitlab.com:sub": "https://gitlab.com/pradeepkumarl/configure-openid-connect-in-aws::ref_type:branch:ref:main"
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.com:sub": "https://gitlab.com/pradeepkumarl/configure-openid-connect-in-aws::ref_type:branch:ref:main"
}
}
}
]
}
条件下的子字段有错误。它的格式应该是project_path::ref_type:branch:ref:。你不需要包含Gitlab的url。
还要记住,您可能需要更改"StringEquals";StringLike"为了适应通配符,如文档的故障排除部分所述:https://docs.gitlab.com/ee/ci/cloud_services/aws/index.html