嗨,我用jenkins创建了CDK项目。我想以角色进行部署。例如,cdk使用角色进行部署。例如,在cloudformation中,我的操作如下所示。
cfn_manage deploy-stack \
--stack-name "$CFN_CDK_STACK" \
--template-file "cloudformation/templates/cdk.yml" \
--parameters-file "$PARAMS_FILE" \
--role-name infra-cfnrole-location-nonprivileged
现在我有如下CDK项目。
checkout scm
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',credentialsId: "${env.PROJECT_ID}-aws-${CFN_ENVIRONMENT}"]]) {
abc = docker.build('cdkimage', "--build-arg http_proxy=${env.http_proxy} --build-arg https_proxy=${env.https_proxy} .")
abc.inside{
sh 'ls -la'
sh "bash ./scripts/build.sh"
}
然后在build.sh中
NONPRIV_ROLE_NAME='infra-cfnrole-location-nonprivileged'
aws sts assume-role --role-arn 'arn:aws:iam::id:role/infra-cfnrole-location-nonprivileged' --role-session-name jenkins --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text
cdk synth
cdk deploy
这引发错误
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::id:user/infra-prjauth-location is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::187628286232:role/infra-cfnrole-location-nonprivileged
对于cfnrole-location-nonprivileged在信任关系中的角色,我具有以下政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
有人可以帮助我进行角色部署吗?任何帮助,将不胜感激。谢谢
答案 0 :(得分:0)
我认为问题在于您没有在IAM角色的受信任关系中特别信任您的IAM用户。
假定此角色具有CDK部署所需的正确权限(有关更多信息,请参见here),您需要允许您的IAM用户访问角色,而不是cloudformation >。 Cloudformation已经可以访问您的帐户资源。
我认为此版本的“信任关系”策略应该可以解决问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "<full ARN of the relevant user>",
"Action": "sts:AssumeRole"
}
]
}
让我知道它是否有效!