首先,我为我的英语感到抱歉。我正在开发一个CodepPipeline,使用CodeBuild将React应用程序部署到S3。在测试环境中是可以的,但当我将其部署在暂存环境中时,我得到了拒绝访问错误:
调用PutObject操作时发生错误(AccessDenied(:Access Denied
发生这种情况是因为在Staging环境中,S3 Bucket已经获得了一些策略。它是这样的:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront ABC"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::s3staging/*"
},
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3staging/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.1.11/11" *VPN Address
.... Another Ip range (s)
]
}
}
}
]
}
据我所知,它只允许来自CloudFront的请求,并从VPN地址进行部署。但现在我需要从CodeBuild部署它。因此,在不修改现有策略的情况下,我试图通过在aws:SourceIp中添加我所在区域的CodeBuild的IP来修复它:13.112.191.184/29,希望它能允许CodeBuild在S3上删除和创建文件。遗憾的是,它不起作用。
我尝试了很多方法,比如允许CodeBuild的serviceRole的ARN,但它也不起作用。
{
"Sid": "Stmt1599214911530",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::s3test-resopa-pwa/*",
"Principal": {
"AWS": [
"arn:aws:iam::123456:role/service-role/AWSCodePipelineServiceRole-ap-northeast-1-staging"
]
}
}
有经验的人能在这个问题上帮我吗。如果能给我一些建议,我真的很感激。非常感谢。
修复它。
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::codebuild-role"
},
"NotIpAddress": {
"aws:SourceIp": [
"153.156.28.29/32",
... Others IP Range