是否可以创建一个CodePipeline,其目标源是另一个账户中的CodeCommit存储库?
使用AWS CodePipeline将目标源代码库设置为来自另一个账户的CodeCommit仓库
16
- Alex Nelson
2
1嗨,你找到你问题的答案了吗? - Hamed Minaee
1没有。搜索还在继续。下面的答案列出了我提问时参考的文档。不确定那个人是否理解我的问题。 - Alex Nelson
3个回答
12
我必须这样做,我将解释过程。
账户C是您的CodeCommit存储库的帐户。 账户P是拥有您的CodePipeline...流水线的帐户。
在P账户中:
创建AWS KMS加密密钥并添加C账户以获取访问权限(在前提步骤中指南这里)。 您还需要添加CodePipeline角色,如果有CodeBuild和CodeDeploy步骤,则还需要添加这些角色。
在CodePipeline工件S3存储桶中,您需要添加C账户访问权限。 转到Bucket策略并添加:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
将ACCOUNTC_ID更改为Account C的帐户ID,并将YOUR_BUCKET_NAME更改为CodePipeline构件S3存储桶名称。
3. 向您的CodePipeline服务角色添加策略,以便您可以访问Account C和CodeCommit代码库:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNTC_ID:role/*"
]
}
}
请将ACCOUNTC_ID更改为账户C的账户ID。
在账户C中:
- 创建一个IAM策略,允许账户P访问CodeCommit资源以及KMS密钥,以便它可以使用与您的CodePipeline其余部分相同的密钥对它们进行加密:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl",
"codecommit:ListBranches",
"codecommit:ListRepositories"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YOUR_KMS_ARN"
]
}
]
}
在上述策略中替换存储桶名称和KMS ARN。将该策略保存为类似CrossAccountPipelinePolicy的东西。
- 为跨帐户访问创建一个角色,并附加上述策略以及AWSCodeCommitFullAccess策略。确保将受信任实体设置为帐户P的帐户ID。
在AWS CLI中,无法在控制台中执行此操作,因此必须使用AWS CLI。这是为了让您在Source步骤中使您的CodePipeline在AccountP中扮演角色并将其转储到S3存储桶中,以供您的下一步使用。
aws codepipeline get-pipeline --name NameOfPipeline > pipeline.json
修改管道json,使其看起来像这样,并替换所需的部分:
"pipeline": {
"name": "YOUR_PIPELINE_NAME",
"roleArn": "arn:aws:iam::AccountP_ID:role/ROLE_NAME_FOR_CODE_PIPELINE",
"artifactStore": {
"type": "S3",
"location": "YOUR_BUCKET_NAME",
"encryptionKey": {
"id": "arn:aws:kms:YOUR_KMS_KEY_ARN",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountC_ID:role/ROLE_NAME_WITH_CROSS_ACCOUNT_POLICY",
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "YOURREPOSITORYNAME"
},
"outputArtifacts": [
{
"name": "MyApp"
}
],
"inputArtifacts": []
}
]
},
使用aws codepipeline update-pipeline --cli-input-json file://pipeline.json更新流水线。
通过运行流水线来验证它是否有效。
- DF_
5
2谢谢您的帮助。我参考了您的答案,成功地让我们的多账户 CodePipeline 运行起来了。 - krchun
我尝试了这个,但是出现了错误
调用UpdatePipeline操作时发生错误(AccessDeniedException):不允许跨帐户传递角色。 你能帮忙吗? - Bhatasana Prashant我尝试运行管道,但出现错误:“服务角色或操作角色没有访问名为codepipeline-********的Amazon S3存储桶所需的权限。请更新IAM角色权限,然后重试。错误:Amazon S3:AccessDenied:Access Denied(服务:Amazon S3;状态码:403;错误代码:AccessDenied;请求ID:7DF5A64758465G6V;S3扩展请求ID:n/tlbrqIZqy10Xp1V2bSDFRg9dTGf1MwAZpE0AD2fIP6pnCfoSf3QI02v6NBQInIVR3aJQdXIMk=;代理:null)”。请帮忙看看。 - Bhatasana Prashant
@BhatasanaPrashant,如果您正在使用配置文件语法,可以尝试使用"AWS_PROFILE=prodaccess aws codepipeline update-pipeline --cli-input-json file://pipeline.json"替换"aws codepipeline update-pipeline --cli-input-json file://pipeline.json --profile prodaccess"。来源:https://github.com/serverless/serverless/issues/3374 - Ron
@BhatasanaPrashant,这个方法对你有用吗?我也遇到了同样的错误。 - Shank
3
您可以使用代码提交库在另一个账户中使用管道部署资源。
假设您有 A 账户,其中包含您的代码提交库,以及 B 账户,其中包含您的代码管道。
在 B 账户中配置以下内容:
You would need to create custom KMS key because AWS Default Key does not have an associated Key policy. You can use Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account if you need assistance with creating CMK. Add the Codepipeline service role to the KMS Key Policy to allow the codepipeline to use it.
Event bus for receiving events from cross account Go to CloudWatch → Event Buses under Events section → Add Permission → Enter DEV AWS Account Id → Add. For more details, check Creating an Event Bus
Add the following Policy to S3 pipeline Artifact store:
{ “Version”: “2012–10–17”, “Id”: “PolicyForKMSAccess”, “Statement”: [ { “Sid”: “AllowAccessFromAAccount”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::ACCOUNT_A_ID:root” }, “Action”: [ “s3:Get*”, “s3:Put*”, "s3:ListBucket ], “Resource”: “arn:aws:s3:::NAME-OF-THE-BUCKET/*” } ] }Edit the Pipeline IAM rols to assume role to Account A as follows:
{ “Version”:“2012–10–17”, “Statement”:{ “Effect”:“Allow”, “Action”:“sts:AssumeRole”, “Resource”:[ “arn:aws:iam::ACCOUNT_A_ID:role/* ] } }- Create a CloudWatch Event Rule to trigger the pipeline on master branch of the CodeCommit in account A. Add CodePipeline's ARN as a target of this rule.
现在,在账户A中执行以下操作:
创建一个跨账户的IAM角色,其中包含3个策略。 a) AWSCodeCommitFullAccess
b) 内联策略以如下方式假定角色为账户B:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Principal”:{
“AWS”:“arn:aws:iam::ACCOUNT_B_ID:root”
},
“Action”:“sts:AssumeRole”
}
]
}
c)KMS、CodeCommit和S3访问的内联策略:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Action”:[
“s3:Get*”,
“s3:Put*”,
“codecommit:*”
],
“Resource”:[
“arn:aws:s3:::YOUR_BUCKET_NAME_IN_B_FOR_CODE_PIPELINE_ARTIFACTS/”
]
},
{
“Effect”:“Allow”,
“Action”:[
“kms:*" ],
“Resource”: [ “arn:aws:kms:YOUR_KMS_ARN_FROM_B_ACCOUNT” ] } ] }
2. 按照 Eran Medan 建议的方式更新您的流水线。
更多详细信息,请访问 AWS CodePipeline 跨账户 CodeCommit 存储库
此外,请注意,我授予了比所需权限更多的权限,例如 codecommit:* 和 kms:*,您可以根据需要进行更改。
希望这能帮到你。
- Anoop
2
- Chris Pollard
网页内容由stack overflow 提供, 点击上面的可以查看英文原文,
原文链接
原文链接
- 相关问题
- 3 使用CodePipeline在另一个AWS账户中部署ElasticBeanstalk应用程序
- 3 尝试将Codecommit仓库备份到另一个AWS账户的S3存储桶中
- 15 AWS CodeCommit: 仓库通知 vs 仓库触发器
- 4 使用跨账户CodeCommit仓库作为源的AWS管道
- 7 通过HTTP克隆AWS CodeCommit仓库
- 8 如何使用AWS CodeCommit,CodeBuild和CodePipeline基于另一个管道成功来调用管道
- 9 AWS CodeCommit公共仓库
- 11 将Git仓库直接镜像到AWS CodeCommit
- 6 如何使用AWS CodePipeline进行CICD,如果源代码仓库是Gitlab?
- 3 AWS CodePipeline中的CodeCommit权限错误