无法更新 Elasticbeanstalk 环境

Question

我在我的 EC2instance 中使用 AWSElasticBeanstalkClient 的 public UpdateEnvironmentResult updateEnvironment(UpdateEnvironmentRequest updateEnvironmentRequest) 方法，但出现以下错误

com.amazonaws.services.elasticbeanstalk.model.InsufficientPrivilegesException: You do not have permission to perform the 's3:CreateBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions. (Service: AWSElasticBeanstalk; Status Code: 403; Error Code: InsufficientPrivilegesException; Request ID: 412d8fab-0cfe-11e6-928e-e1e1532d705e)
    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1389)
    at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:902)
    at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:607)
    at com.amazonaws.http.AmazonHttpClient.doExecute(AmazonHttpClient.java:376)
    at com.amazonaws.http.AmazonHttpClient.executeWithTimer(AmazonHttpClient.java:338)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:287)
    at com.amazonaws.services.elasticbeanstalk.AWSElasticBeanstalkClient.doInvoke(AWSElasticBeanstalkClient.java:2223)
    at com.amazonaws.services.elasticbeanstalk.AWSElasticBeanstalkClient.invoke(AWSElasticBeanstalkClient.java:2193)
    at com.amazonaws.services.elasticbeanstalk.AWSElasticBeanstalkClient.updateEnvironment(AWSElasticBeanstalkClient.java:2093) 

我的 IAM 角色无权访问 s3:create 存储桶。但是为什么需要创建桶呢？有什么解决办法吗？

Answer 1

它正在将应用程序源包上传到 S3。

授予您的实例AWSElasticBeanstalkWebTier 策略权限。这将使您能够访问名为 elasticbeanstalk* 的存储桶的实例访问权限，SDK 将为存储桶命名。

Answer 2

这发生在我最近更新 Lambda 函数的策略后，从已弃用的 AWSLambdaFullAccess 到 AWSLambda_FullAccess。如果您还使用 SAM 模板来部署您的 Lambda 函数，请通过将其添加到您的模板来扩展权限：

LambdaFunction:
  Type: AWS::Serverless::Function
  Properties:
    Timeout: 270
    Policies:
      - AWSLambda_FullAccess
      - AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy