前提・実現したいこと
CodePipelineからアーティファクトとして指定したS3へアクセスしたいです
CodePipelineを作成する際、アーティファクトを配置するS3及びKMSを指定し、
マネコンにそってCodePipelineを作成すると、自動で作成されたロール及びポリシーがあり、そのポリシー内に
S3:*
の許可設定がされますが、都合で
S3:*の許可を外さなければならず、
外した上で必要そうなものを付与したところ、下記のエラーが発生いたします。
CodePipelineのサービスロールではS3:*の付与のチェックでも行っているのでしょうか。
または何か足りていない権限があるのでしょうか?
必要十分な条件がわからず煮詰まっています
######### 以下追記 ##############
いろいろ検証してみたところ、
s3:PutObjectのみ別ポリシー(制約)
で設定しているポリシー内のStaticRule01, StaticRule02のどちらの条件にも
CodePipelineからのアクセスが合致していないことが根本原因のようです
1, CodePipelineからのアクセスが上記どちらかのルールに合致するように設定することはそもそも可能なのか
2, 可能である場合どのように行えばよいか
ご教授いただきたいです
######### 追記ここまで ############
発生している問題・エラーメッセージ
CodePipelineのSourceフェーズでエラー
The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named hogehoge-bucket. Update the IAM role permissions, and then try again. Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXXXXXXXXXX; S3 Extended Request ID: XXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXX; Proxy: null)
特に何の権限が不足等の記載が無い
該当のソースコード, 試したこと
該当のS3バケットポリシー
json
1{ 2 "Version": "2008-10-17", 3 "Statement": [ 4 { 5 "Effect": "Allow", 6 "Principal": { 7 "AWS": [ 8 "arn:aws:iam::111111111111:role/service-role/CodePipelineサービスロール" 9 ] 10 }, 11 "Action": "s3:*", 12 "Resource": "arn:aws:s3:::hogehoge-bucket" 13 } 14 ] 15}
s3に設定しているkmsのkeypolicy
json
1{ 2 "Sid": "Allow use", 3 "Effect": "Allow", 4 "Principal": { 5 "AWS": [ 6 "arn:aws:iam::111111111111:role/service-role/CodePipelineサービスロール" 7 ] 8 }, 9 "Action": [ 10 "kms:Encrypt", 11 "kms:Decrypt", 12 "kms:ReEncrypt*", 13 "kms:GenerateDataKey*", 14 "kms:DescribeKey" 15 ], 16 "Resource": "*" 17}
以下の権限を許可したポリシーをCodePipelineのサービスロールにアタッチしています
s3:PutObjectのみ別ポリシー(制約)
json
1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "PutObjectForLimitedTargets", 6 "Effect": "Deny", 7 "Action": [ 8 "s3:PutObject" 9 ], 10 "NotResource": [ 11 "arn:aws:s3:::hogehoge-bucket/*", 12 "arn:aws:s3:::hogehoge-bucket" 13 ] 14 } 15 ] 16}
json
1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "VisualEditor0", 6 "Effect": "Allow", 7 "Action": [ 8 "s3:PutAnalyticsConfiguration", 9 "s3:GetObjectVersionTagging", 10 "s3:GetStorageLensConfigurationTagging", 11 "s3:ReplicateObject", 12 "s3:GetObjectAcl", 13 "s3:GetBucketObjectLockConfiguration", 14 "s3:DeleteBucketWebsite", 15 "s3:GetIntelligentTieringConfiguration", 16 "s3:DeleteJobTagging", 17 "s3:PutLifecycleConfiguration", 18 "s3:GetObjectVersionAcl", 19 "s3:PutBucketAcl", 20 "s3:PutObjectTagging", 21 "s3:DeleteObject", 22 "s3:DeleteObjectTagging", 23 "s3:GetBucketPolicyStatus", 24 "s3:GetObjectRetention", 25 "s3:GetBucketWebsite", 26 "s3:GetJobTagging", 27 "s3:DeleteStorageLensConfigurationTagging", 28 "s3:PutReplicationConfiguration", 29 "s3:DeleteObjectVersionTagging", 30 "s3:PutObjectLegalHold", 31 "s3:GetObjectLegalHold", 32 "s3:GetBucketNotification", 33 "s3:PutBucketCORS", 34 "s3:DeleteBucketPolicy", 35 "s3:GetReplicationConfiguration", 36 "s3:ListMultipartUploadParts", 37 "s3:GetObject", 38 "s3:PutBucketNotification", 39 "s3:DescribeJob", 40 "s3:PutBucketLogging", 41 "s3:PutObjectVersionAcl", 42 "s3:GetAnalyticsConfiguration", 43 "s3:PutBucketObjectLockConfiguration", 44 "s3:GetObjectVersionForReplication", 45 "s3:GetStorageLensDashboard", 46 "s3:GetLifecycleConfiguration", 47 "s3:GetInventoryConfiguration", 48 "s3:GetBucketTagging", 49 "s3:PutAccelerateConfiguration", 50 "s3:DeleteObjectVersion", 51 "s3:GetBucketLogging", 52 "s3:ListBucketVersions", 53 "s3:ReplicateTags", 54 "s3:RestoreObject", 55 "s3:ListBucket", 56 "s3:GetAccelerateConfiguration", 57 "s3:GetBucketPolicy", 58 "s3:PutEncryptionConfiguration", 59 "s3:GetEncryptionConfiguration", 60 "s3:GetObjectVersionTorrent", 61 "s3:AbortMultipartUpload", 62 "s3:PutBucketTagging", 63 "s3:GetBucketRequestPayment", 64 "s3:DeleteBucketOwnershipControls", 65 "s3:GetAccessPointPolicyStatus", 66 "s3:UpdateJobPriority", 67 "s3:GetObjectTagging", 68 "s3:GetMetricsConfiguration", 69 "s3:GetBucketOwnershipControls", 70 "s3:DeleteBucket", 71 "s3:PutBucketVersioning", 72 "s3:PutObjectAcl", 73 "s3:GetBucketPublicAccessBlock", 74 "s3:ListBucketMultipartUploads", 75 "s3:PutBucketPublicAccessBlock", 76 "s3:PutMetricsConfiguration", 77 "s3:PutStorageLensConfigurationTagging", 78 "s3:PutBucketOwnershipControls", 79 "s3:PutObjectVersionTagging", 80 "s3:PutJobTagging", 81 "s3:UpdateJobStatus", 82 "s3:GetBucketVersioning", 83 "s3:GetBucketAcl", 84 "s3:BypassGovernanceRetention", 85 "s3:PutInventoryConfiguration", 86 "s3:GetObjectTorrent", 87 "s3:GetStorageLensConfiguration", 88 "s3:DeleteStorageLensConfiguration", 89 "s3:PutBucketWebsite", 90 "s3:PutBucketRequestPayment", 91 "s3:PutObjectRetention", 92 "s3:GetBucketCORS", 93 "s3:PutBucketPolicy", 94 "s3:GetBucketLocation", 95 "s3:GetAccessPointPolicy", 96 "s3:ReplicateDelete", 97 "s3:GetObjectVersion" 98 ], 99 "Resource": "arn:aws:s3:::hogehoge-bucket" 100 }, 101 { 102 "Sid": "VisualEditor1", 103 "Effect": "Allow", 104 "Action": [ 105 "s3:ListStorageLensConfigurations", 106 "s3:GetAccessPoint", 107 "s3:PutAccountPublicAccessBlock", 108 "s3:GetAccountPublicAccessBlock", 109 "s3:ListAllMyBuckets", 110 "s3:ListAccessPoints", 111 "s3:ListJobs", 112 "s3:PutStorageLensConfiguration", 113 "s3:CreateJob" 114 ], 115 "Resource": "*" 116 } 117 ] 118}
あなたの回答
tips
プレビュー