是否可以在另一个帐户中创建一个具有CodeCommit存储库目标源的codepipeline?
答案 0 :(得分:1)
是的,它应该是可能的。请按照以下说明操作:http://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
答案 1 :(得分:1)
我只需要这样做,我将解释该过程。
帐户C是您的CodeCommit存储库的帐户。 帐户P是您的CodePipeline ...管道的帐户。
在帐户P中:
创建一个AWS KMS加密密钥,并添加具有访问权限的账户C(先决步骤中的指南here)。您还需要添加CodePipeline角色,并且如果您具有CodeBuild和CodeDeploy步骤,也请添加这些角色。
在您的CodePipeline项目S3存储桶中,您需要添加帐户C访问。转到“存储桶策略”并添加:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
将ACCOUNTC_ID更改为帐户C的帐户ID,并将YOUR_BUCKET_NAME更改为CodePipeline项目S3存储桶名称。
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNTC_ID:role/*"
]
}
}
再次,将ACCOUNTC_ID更改为帐户C的帐户ID。
在帐户C中:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl",
"codecommit:ListBranches",
"codecommit:ListRepositories"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YOUR_KMS_ARN"
]
}
]
}
在上述策略中替换存储桶名称和KMS ARN。将策略另存为CrossAccountPipelinePolicy之类的内容。
在AWS CLI中 您无法在控制台中执行此操作,因此必须使用AWS CLI。这将是使AccountP中的CodePipeline承担Source步骤中的角色,并将其转储到S3存储桶中,以供所有后续步骤使用。
aws codepipeline get-pipeline --name NameOfPipeline > pipeline.json
修改管道json,使其看起来像这样,并替换所需的位:
"pipeline": {
"name": "YOUR_PIPELINE_NAME",
"roleArn": "arn:aws:iam::AccountP_ID:role/ROLE_NAME_FOR_CODE_PIPELINE",
"artifactStore": {
"type": "S3",
"location": "YOUR_BUCKET_NAME",
"encryptionKey": {
"id": "arn:aws:kms:YOUR_KMS_ROLE_ARN",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountC_ID:role/ROLE_NAME_WITH_CROSS_ACCOUNT_POLICY",
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "YOURREPOSITORYNAME"
},
"outputArtifacts": [
{
"name": "MyApp"
}
],
"inputArtifacts": []
}
]
},
使用aws codepipeline update-pipeline --cli-input-json file://pipeline.json
通过运行管道来验证其工作。
答案 2 :(得分:0)
您可以使用带有代码提交库的管道在另一个帐户中部署资源。
假设您的代码提交存储库所在的帐户A,代码管道所在的帐户B。
在帐户B中配置以下内容:
您将需要创建自定义KMS密钥,因为AWS Default Key没有关联的密钥策略。如果您需要有关创建CMK的帮助,可以使用Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account。将代码管道服务角色添加到KMS密钥策略中,以允许代码管道使用它。
用于从交叉账户接收事件的事件总线转到CloudWatch→事件部分下的事件总线→添加权限→输入DEV AWS账户ID→添加。有关更多详细信息,请检查Creating an Event Bus
将以下策略添加到S3管道工件存储中:
{
“Version”: “2012–10–17”,
“Id”: “PolicyForKMSAccess”,
“Statement”: [
{ “Sid”: “AllowAccessFromAAccount”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “arn:aws:iam::ACCOUNT_A_ID:root” },
“Action”: [ “s3:Get*”, “s3:Put*”, "s3:ListBucket ],
“Resource”: “arn:aws:s3:::NAME-OF-THE-BUCKET/*” }
]
}
按照以下步骤编辑管道IAM角色以承担帐户A的角色:
{
“Version”:“2012–10–17”,
“Statement”:{
“Effect”:“Allow”,
“Action”:“sts:AssumeRole”,
“Resource”:[
“arn:aws:iam::ACCOUNT_A_ID:role/*
]
}
}
现在,在帐户A中执行以下操作:
使用3个策略创建一个跨帐户IAM角色。 a)AWSCodeCommitFullAccess
b)内联策略按如下方式承担对帐户B的作用:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Principal”:{
“AWS”:“arn:aws:iam::ACCOUNT_B_ID:root”
},
“Action”:“sts:AssumeRole”
}
]
}
c)KMS,CodeCommit和S3访问的内联策略:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Action”:[
“s3:Get*”,
“s3:Put*”,
“codecommit:*”
],
“Resource”:[
“arn:aws:s3:::YOUR_BUCKET_NAME_IN_B_FOR_CODE_PIPELINE_ARTIFACTS/”
]
},
{
“Effect”:“Allow”,
“Action”:[
“kms:*" ],
“Resource”: [ “arn:aws:kms:YOUR_KMS_ARN_FROM_B_ACCOUNT” ] } ] }
2。按照@Eran Medan的建议更新您的管道。
有关更多详细信息,请访问AWS CodePipeline with a Cross-Account CodeCommit Repository
另外,请注意,我授予的权限比示例codecommit:*和kms:*所需的权限要多,您可以根据需要进行更改。
我希望这会有所帮助。