惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
Malwarebytes
Malwarebytes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cybersecurity and Infrastructure Security Agency CISA
F
Future of Privacy Forum
C
Cisco Blogs
T
The Exploit Database - CXSecurity.com
A
Arctic Wolf
S
Securelist
K
Kaspersky official blog
S
Schneier on Security
T
ThreatConnect
T
Tenable Blog
Spread Privacy
Spread Privacy
T
True Tiger Recordings
AWS News Blog
AWS News Blog
F
Fox-IT International blog
量子位
T
Threatpost
V
Vulnerabilities – Threatpost
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
GbyAI
GbyAI
宝玉的分享
宝玉的分享
腾讯CDC
G
Google Developers Blog
aimingoo的专栏
aimingoo的专栏
Cyberwarzone
Cyberwarzone
有赞技术团队
有赞技术团队
S
SegmentFault 最新的问题
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
U
Unit 42
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
The Register - Security
The Register - Security
MyScale Blog
MyScale Blog
小众软件
小众软件
A
About on SuperTechFans
Last Week in AI
Last Week in AI
Y
Y Combinator Blog
博客园 - 三生石上(FineUI控件)
美团技术团队
Google Online Security Blog
Google Online Security Blog
P
Proofpoint News Feed
MongoDB | Blog
MongoDB | Blog

DEV Community

How I Prepared for CKA: Resources, Labs, and Strategy That Worked for Me Stop Flying Blind: We Built an LLM Evaluation Framework That Works Across 17+ Agent Frameworks I Resurrected a Dead F1 Project and Accidentally Built a Race Intelligence OS Remix Mini PC: After a Year of Dead Ends, the eMMC Finally Talks Not All Games Are Equal: The Real Difference Between a Trap and a Tool How to add Peppol e-invoicing to your SaaS without making it your team's problem I Built a Hermes Agent to Tell Me Which Hackathons to Enter. It Told Me to Enter This One. The Five Hooks That Change How You Ship With Claude Code Powering Your Progress: Building Robust Solutions with Laravel I built a self-hosted CI/CD platform with persistent queue, encrypted secrets, and rollback UI — here's what I learned Antigravity 2.0 and the $1,000 OS: Why "Agent-First" Feels Like the Direction I've Been Building Toward Anyway I built an AI PR-triage agent in 30 lines of Markdown Core Web Vitals from 74 to 91: A Real Tax Practitioner Site Rebuild I Gave Gemma 4 150 Tools on Windows. Here's What Actually Happened. Beyond the Loop: Why Monolithic AI Agents Fail and How to Build a Microkernel Architecture The Hidden Tax of AI-Assisted Development (And How I Fixed It) I Ditched Cloud LLMs for Gemma 4 4B: A DevOps Engineer's 48-Hour Reality Check Building a Schema.org @graph That Validates on the First Try The "Lift and Shift" Trap: Why Your Integration Layer Needs More Than Just a Cloud Address All 7 OSI Layers Explained with Real-World Analogies Antigravity 2.0 in one day: the four shells and what each is good for Self-Hosting Google Fonts with size-adjust: Zero CLS Web Font Swap The Multi-Provider LLM Problem: Why “One API” Is Not Enough How I indexed 69,000 Claude Code skills (and what I learned doing it) RememberMe CareGrid: Local Gemma 4 for dementia memory and safety Google Is Killing Gemini CLI on June 18. Here Is What to Do Before Then Do Domínio ao Deploy: Hospedando Arquivos de Deep Links no Cloudflare Pages (Parte 7.1) Running Gemma 4 26B on an Old GTX 1080 with llama.cpp Devlog 1: I tried building an SNES game with the super FX chip Why Gemma 4 Feels Like an Important Moment for AI Developers✨ From Zero and Confused, This Is How I Started Learning to Code I Built a Local AI Gateway That Talks to Claude, ChatGPT, DeepSeek and Gemini — Without a Single API Key Bootstrapping with AI: Why Gemma 4 is the Micro-SaaS Founder’s Best Friend MyErp Architecture Series - #02 Cellular Architecture: Mapping Biology to Software Systems NodeJS vs Bun vs Go 🌍 RTL Arabic Style UI How Does an AI Agent Actually Buy Something? Google Just Published the Spec. Google I/O 2026 Is One Uncanny F.R.I.E.N.D.S Group Upgrade I Replaced 70MB Node.js Log Viewer with a 172KB Zig Binary The "MTTR Is All You Need" Trap The Quiet Revolution: How Firebase Became the First Agent-Native Backend at Google I/O 2026 I Built ResuMate! A 100% Private, Local AI Resume Optimizer with Google Gemma 4 Learning DirectX 12 - Part 2 Initialization Theory NeuralHats: I Put Edward de Bono’s Six Thinking Hats on Local LLMs Using Gemma 4 📝 Instant Auto Save Notes Engineering the "App-Like" Experience: A Deep Dive into PWA Architecture I built a local first AI CCTV assistant using Gemma 4 + Frigate CrowdShield AI — Smart Stadium Operating System & Crowd Intelligence Platform I built a free AI observability tool, prove your AI is useful, not just running Beyond Autocomplete: Why Google Antigravity 2.0 Changes the Rules for Indie Builders 터미널 AI 에이전트 구축 (v12) Building Instagram-Powered Apps with HikerAPI (Without Fighting Scrapers) Checkpoints, Not Transcripts: Rethinking AI Coding Agent Memory From Side Project to Student Savior: My AI PPT & Resume Tool Crossed 1.5K+ Users Why Story Points Don’t Work in the AI Era, And What Should Take Their Place Instead. Self-Hosted Document AI: How to Run Document Intelligence On Your Own Infrastructure (2026) How to Extract Tables from PDFs with AI: 4 Methods That Actually Work (2026) IDP vs OCR: What's the Difference — and Which Does Your Business Actually Need? Automated PII Detection and Redaction in Business Documents: A Practical Guide Human-in-the-Loop Document Review: When to Use It and How to Set It Up (2026) Document Processing Without RPA: A Modern Approach for Small Teams Reducto Alternative: When You Need More Than a Document Parser (2026) Hermes Agent vs LangChain vs CrewAI: When to Reach for Each SparshAI: I Built an Offline AI Tutor for Students Using Gemma 4 — Here's What Happened Building NeuroSense AI: A Human-Centered Stress Insight Assistant Powered by Gemma Why I Built a Privacy-First Dev Toolkit GAS Input Tags: Ability Activation Without Hardcoded Bindings AI Legal Document Advisor Supported By Gemm 4 Model Building Convertify in Public Week 10: PDF Cluster + Blog Launch CureNet AI: Decentralized Health Intelligence for India, Powered by Gemma 4 and ABHA Standardization When Open-Weights AI Meets a Broken Healthcare System: Deploying Gemma 4 in Rural India V.A.L.I.D. Google I/O 2026: The Year Google Stopped Building AI Assistants and Started Shipping AI Engineers Bondmap: AI-Powered Relationship Network That Maps How You're Connected to Everyone Using Gemma 4 Gemma 4 challenge inspired me to build my first app! 96. LoRA: Fine-Tune a Billion-Parameter Model on a Laptop From a Student Who Used CircuitVerse to a GSoC Contributor — My Community Bonding Story How Bf-Tree Keeps Mini-Pages Small, Hot, and Cheap to Evict I asked Claude to explain the chip war and ended up understanding modern geopolitics differently Stop Manually Checking for Server Updates: Automate With Email Notifications Nostalgia Meets Cybersecurity: Spotting Modern Scams in a Retro OS Simulator - Forward or Fraud CRACKING CODING INTERVIEW From Python to Production Pipeline :A Practical guide to Apache Airflow Antigravity 2.0: Google Just Changed What It Means to Be an Engineer I Built a Free Sticker Maker Because Every Other One Hid the Export How I bypassed Blazor WebAssembly's Virtual DOM using raw WASM pointers Distributed Tracing for LLM Agents: When MCP Makes Tool Calls Observable The Zero-Budget Memory Setup Behind My AI Agent Workflow No database. No framework. Just files, startup order, correction logs, and discipline. I Built an AI Second Brain with Gemma 4 The Most Exciting Google I/O 2026 Announcement for Me: HTML-in-Canvas CrisisLens: Compressing Disaster Scenes into 200-Byte Emergency Payloads with Gemma 4 I'm 15 and I built a todo app with Telegram Stars payments — only legal way for me to monetize before turning 18 Crypto Branding After the Token Launch Building an on-chain alerts bot in Python without any blockchain library FinePrint — An AI Pocket Lawyer That Decodes Predatory Contracts Using Gemma 4 How to Connect OpenAI with Supabase in 10 Minutes for a Lightning-Fast AI MVP One AI Gateway for AWS Bedrock, Google Vertex AI, Gemini, and Anthropic Reading Log #9 — Aoashi The Tacit Dimension Thinking, Fast and Slow Web3 Onboarding Is Not a Wallet Problem. It Is a Trust Problem. FHE Prompt Privacy: The Metadata Leak Your Demo Still Has
The Misleading "User is not authorized to access connection" Error in AWS CodeBuild — and Why Your IAM Policy Looks Fine
Morgan Wowk · 2026-05-25 · via DEV Community

If you've wired up an AWS CodeBuild project to pull source from GitHub
via CodeConnections (formerly CodeStar Connections), you may have hit
this error at the moment you call UpdateProject or trigger your first
build:

OAuthProviderException: User is not authorized to access connection
arn:aws:codestar-connections:us-east-1:123456789012:connection/...

Enter fullscreen mode Exit fullscreen mode

The error wording is wrong in two different ways at the same time, which
is what makes it such a brutal debugging session. This post walks
through what the message actually means, two distinct root causes that
both produce it, and the IAM policy shape that resolves both.

"User" doesn't mean what you think it means

The first thing to know: the User in the error message is almost
never the IAM principal making the API call. It's the CodeBuild
service role — the role CodeBuild will eventually assume to clone
your repo at build time.

When you call UpdateProject with a source.auth.type of
CODECONNECTIONS, AWS validates the service role's permissions to
use the connection. If those permissions are missing, the API call
fails with this error and blames "User," meaning the service role —
not you.

So the first thing to do when this error fires: stop checking the
permissions on whoever ran the command, and start checking the
permissions on the service role referenced by the CodeBuild
project.

Trap #1: GetConnectionToken is required but undocumented

The AWS docs for CodeConnections IAM say you need
codestar-connections:UseConnection on the connection ARN. That's
true but incomplete.

You also need codestar-connections:GetConnectionToken — and
this requirement is undocumented in the IAM examples page as of
this writing. Without it, UpdateProject returns
OAuthProviderException even though your policy "looks right."

This trap was first surfaced publicly in a comment on a Terraform
AWS Provider GitHub issue, and you'll find it referenced in the
SDK source if you go looking. The minimum service-role grant that
actually works is:

statement {
  effect = "Allow"
  actions = [
    "codestar-connections:UseConnection",
    "codestar-connections:GetConnectionToken",  # ← undocumented requirement
    "codeconnections:UseConnection",
    "codeconnections:GetConnectionToken",       # ← same
  ]
  resources = [aws_codestarconnections_connection.your_connection.arn]
}

Enter fullscreen mode Exit fullscreen mode

(More on why the snippet duplicates each action under both prefixes
in a moment.)

If you've been chasing this for an hour and your policy already has
UseConnection, adding GetConnectionToken is very likely the fix.

Trap #2: list actions don't accept ARN scoping

Now here's the meaner one — and the one that bites you the second
time, after you've added GetConnectionToken and your build still
fails with the same error.

CodeConnections has three actions that do not accept resource-level
permissions at all:

  • ListConnections
  • ListInstallationTargets
  • ListTagsForResource

If you grant these with resources scoped to a specific connection
ARN, the statement silently never matches the action. AWS denies
the call without telling you which action was denied — and surfaces
the same misleading "User is not authorized to access connection"
error as Trap #1.

AWS's internal flow for UpdateProject (and for the build's source-
resolution phase) calls list-level actions as part of validating the
connection binding. Your policy can grant codeconnections:* on the
connection ARN and STILL fail, because the wildcard doesn't help when
the action itself refuses resource-level scoping.

The fix: split your connections grant into two statements. List
actions get resources: ["*"]. Resource-level actions stay scoped to
your connection ARN.

# Statement 1: list-level actions that don't accept ARN scoping.
# These MUST use "*" or they'll be silently denied.
statement {
  sid    = "CodeConnectionsListLevel"
  effect = "Allow"
  actions = [
    "codestar-connections:ListConnections",
    "codestar-connections:ListInstallationTargets",
    "codestar-connections:ListTagsForResource",
    "codeconnections:ListConnections",
    "codeconnections:ListInstallationTargets",
    "codeconnections:ListTagsForResource",
  ]
  resources = ["*"]
}

# Statement 2: resource-level actions you can safely scope.
statement {
  sid    = "CodeConnectionsResourceLevel"
  effect = "Allow"
  actions = [
    "codestar-connections:GetConnection",
    "codestar-connections:GetConnectionToken",
    "codestar-connections:PassConnection",
    "codestar-connections:UseConnection",
    "codeconnections:GetConnection",
    "codeconnections:GetConnectionToken",
    "codeconnections:PassConnection",
    "codeconnections:UseConnection",
  ]
  resources = [aws_codestarconnections_connection.your_connection.arn]
}

Enter fullscreen mode Exit fullscreen mode

If you'd rather not enumerate every action, the loosest version
that's still narrowly enough scoped is Get*, List*, Pass*, Use* on
"*", with the understanding that the role can then enumerate every
connection in your account. For most CI workloads that's a reasonable
tradeoff.

Why both codestar-connections:* and codeconnections:*?

In March 2024 AWS renamed the service from CodeStar Connections to
CodeConnections. Both action prefixes still work, and AWS aliases
them internally — but different parts of the AWS SDK and AWS-internal
callers use different prefixes, sometimes within the same API call.
ARNs created before the rename keep the legacy arn:aws:codestar-
connections:... prefix; ARNs created after the rename keep it too,
because changing them would break thousands of existing integrations.

Granting both prefixes for every action you care about costs you
nothing and saves a future debugging session if AWS quietly shifts
its internal caller from one prefix to the other.

A note on diagnosis

When this error fires and your IAM simulator says the calling user
has the permissions, the simulator is testing the wrong principal.
The denial is on the service role, not the API caller. CloudTrail's
event for the failed UpdateProject shows the actual denied principal
in userIdentity, and sometimes references the target principal by
ARN in the error metadata. That's the surest way to ground-truth
what's failing.

aws iam simulate-principal-policy is still useful — just point it
at the service role's ARN, not your own:

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::ACCOUNT:role/your-codebuild-service-role \
  --action-names \
    codestar-connections:UseConnection \
    codestar-connections:GetConnectionToken \
    codestar-connections:GetConnection \
    codeconnections:ListConnections \
    codeconnections:ListInstallationTargets \
  --resource-arns CONNECTION_ARN

Enter fullscreen mode Exit fullscreen mode

The list actions will report implicitDeny against an ARN-scoped
policy even when the resource-level ones are allowed. That's the
giveaway.

A note on IAM eventual consistency

One more wrinkle: even with a correct policy, terraform apply
(or whatever provisioning tool you use) sometimes fails on the first
apply and succeeds on the second, with zero changes between them.

That's IAM eventual consistency. When the policy and the
UpdateProject call land in the same plan, the policy attachment
may not have propagated by the time the API call is made. AWS
returns the same misleading error, because at the moment of the
check, the service role genuinely doesn't have the permission yet.

If you're seeing this race repeatedly, the simplest workaround is
to put the IAM resources in a separate stack/workspace from the
CodeBuild project itself, so the policy is fully applied before
the project resource is touched. A CDK project that takes exactly
this approach is [linked at the bottom of this post]; their stack
comment explicitly calls out the eventual-consistency hazard.

Summary

If you're stuck on OAuthProviderException: User is not authorized
to access connection and your IAM looks correct:

  1. You're checking the wrong principal. It's the CodeBuild service role, not the caller.
  2. Add GetConnectionToken to the service role's grants — it's required but undocumented.
  3. Split list actions out to resources: ["*"]. They don't accept ARN scoping and will silently fail otherwise.
  4. Grant both codestar-connections:* and codeconnections:* action prefixes. The rename in 2024 left both still in use.
  5. If applies are flaky, separate the IAM policy from the CodeBuild project so policy attachments fully propagate first.

References worth bookmarking:

  • AWS docs: Permissions and examples for AWS CodeConnections
  • AWS docs: Troubleshooting connections
  • The Terraform AWS Provider GitHub issue where GetConnectionToken was first surfaced publicly (search the provider issues for OAuthProviderException)
  • fourTheorem's codebuild-gha-runners CDK repo (the connection- stack.ts file) for a working reference implementation that uses the wildcard-resource approach and addresses eventual consistency

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。