Amazon web services 跨帐户ECS部署
我正在尝试使用CodePipeline将一个帐户(AccountA)的ECR映像部署到另一个帐户(AccountB)的ECS群集。我在部署阶段遇到与权限相关的错误 以下是我在AccountA中的管道角色:Amazon web services 跨帐户ECS部署,amazon-web-services,amazon-ecs,aws-codepipeline,Amazon Web Services,Amazon Ecs,Aws Codepipeline,我正在尝试使用CodePipeline将一个帐户(AccountA)的ECR映像部署到另一个帐户(AccountB)的ECS群集。我在部署阶段遇到与权限相关的错误 以下是我在AccountA中的管道角色: { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVe
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:InvalidateProjectCache",
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:UpdateProject",
"codebuild:UpdateWebhook"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<AccountB>:role/taskexecutionrole",
"Effect": "Allow"
}
]
}
管道有一个ECR源,构建阶段生成一个imagedefinitions.json文件。最后在部署阶段进行ECS部署
我得到的错误是:
无效的操作配置
标识符用于AccountB。您的帐户ID是AccountA
answer仅对手动CLI部署有帮助,我已尝试了answer中的解决方案
任何我缺少的指针吗?让我们假设:
Account_A=>CodePipeline和Source账户B=>ECS 以下是所需内容: 账户A:
*AWSCodePipelineServiceRole
*工件存储区存储桶
*KMS\u密钥\u用于管道\u工件(客户管理密钥)
*工件存储区的存储桶策略允许帐户访问
*KMS上的密钥策略用于管道工件,以允许访问跨帐户角色(从帐户B)
账户
*跨帐户角色(与帐户的信任关系和完整ECS权限)
*正在运行且将被部署替换的ECS
imagedefinitions.json(必须是源代码的一部分)
Bucket\u工件存储策略\u S3\u Bucket
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account_B:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account_B:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket"
}
]
}
pipeline.json:
{
"pipeline": {
"name": "test",
"roleArn": "arn:aws:iam::Account_A:role/service-role/AWSCodePipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "Artifact_Store_S3_Bucket",
"encryptionKey": {
"id": "arn:aws:kms:us-east-1:Account_A:key/KMS_Key_for_Pipeline_Artifact",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "code"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-1"
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::Account_B:role/CrossAccount_Role",
"configuration": {
"ClusterName": "<Cluster>",
"ServiceName": "<Service>"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "us-east-1"
}
]
}
],
"version": 1
}
}
{
“管道”:{
“名称”:“测试”,
“roleArn”:“arn:aws:iam::Account\u A:角色/服务角色/AWSCodePipelineServiceRole”,
“工件库”:{
“类型”:“S3”,
“位置”:“工件\存储\存储桶”,
“encryptionKey”:{
“id”:“arn:aws:kms:us-east-1:Account\u A:key/kms\u key\u for_Pipeline\u Artifact”,
“类型”:“KMS”
}
},
“阶段”:[
{
“名称”:“来源”,
“行动”:[
{
“名称”:“来源”,
“actionTypeId”:{
“类别”:“来源”,
“所有者”:“AWS”,
“提供程序”:“编解码器”,
“版本”:“1”
},
“runOrder”:1,
“配置”:{
“布兰克纳姆”:“大师”,
“PollForSourceChanges”:“false”,
“RepositoryName”:“代码”
},
“输出事实”:[
{
“名称”:“SourceArtifact”
}
],
“输入事实”:[],
“区域”:“us-east-1”
}
]
},
{
“名称”:“部署”,
“行动”:[
{
“名称”:“部署”,
“actionTypeId”:{
“类别”:“部署”,
“所有者”:“AWS”,
“提供商”:“ECS”,
“版本”:“1”
},
“runOrder”:1,
“roleArn”:“arn:aws:iam::账户\角色/交叉账户\角色”,
“配置”:{
“ClusterName”:“,
“服务名称”:”
},
“输出事实”:[],
“输入事实”:[
{
“名称”:“SourceArtifact”
}
],
“区域”:“us-east-1”
}
]
}
],
“版本”:1
}
}
要更新管道:
{
"pipeline": {
"name": "test",
"roleArn": "arn:aws:iam::Account_A:role/service-role/AWSCodePipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "Artifact_Store_S3_Bucket",
"encryptionKey": {
"id": "arn:aws:kms:us-east-1:Account_A:key/KMS_Key_for_Pipeline_Artifact",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "code"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-1"
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::Account_B:role/CrossAccount_Role",
"configuration": {
"ClusterName": "<Cluster>",
"ServiceName": "<Service>"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "us-east-1"
}
]
}
],
"version": 1
}
}
$aws代码管道更新管道--区域us-east-1--cli输入jsonfile://pipeline.json非常感谢,它几乎可以工作了。不知何故,S3 artifactstore存储桶没有正确加密,并且失败了,当我使用KMS密钥手动加密它时,部署工作正常。你知道如果没有加密,整个系统是否可以工作吗?如果禁用KMS加密,则会出现accessdenied错误。当我尝试使用cloudformation创建bucket时,遇到格式错误的XML异常。更新:默认情况下,我现在可以加密bucket,但管道中的CodeBuild阶段使用不同的加密密钥写入,尝试修复,应该很快完成……很高兴我能提供帮助。@gkris您在帐户a或帐户B中的codedeploy设置在哪里?
{
"pipeline": {
"name": "test",
"roleArn": "arn:aws:iam::Account_A:role/service-role/AWSCodePipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "Artifact_Store_S3_Bucket",
"encryptionKey": {
"id": "arn:aws:kms:us-east-1:Account_A:key/KMS_Key_for_Pipeline_Artifact",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "code"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-1"
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::Account_B:role/CrossAccount_Role",
"configuration": {
"ClusterName": "<Cluster>",
"ServiceName": "<Service>"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "us-east-1"
}
]
}
],
"version": 1
}
}