【问题标题】:How to create a IAM role for cross account deployment of ECS services via Code Pipeline?如何通过Code Pipeline创建跨账户部署ECS服务的IAM角色?
【发布时间】:2023-02-21 23:15:53
【问题描述】:

我正在尝试使用 EcsDeployAction,我知道对于跨账户部署,我必须提供一个在 ECS 集群账户中创建的角色:

const service = ecs.BaseService.fromServiceArnWithCluster(this, 'Service', `arn:aws:ecs:${this.region}:${ACCOUNTS.dev}:service/${CLUSTER_NAME}/${SERVICE_NAME}`);
const deploymentRole  = iam.Role.fromRoleArn(this, 'DeploymentRole', `arn:aws:iam::${ACCOUNTS.dev}:role/${DEPLOYMENT_ROLE_NAME}`)
const deploymentAction = new codepipelineActions.EcsDeployAction({
          actionName: 'deploy',
          service,
          input: buildOutputFromDockerBuildInCodeBuild,
          role: deploymentRole,
        });
  • 我如何使用 CDK(或 CLI 或其他 IAAC 但不是手动通过控制台)创建此角色 (deploymentRole),以便 Codepipeline 可以在另一个帐户中进行部署?
  • 这个角色需要什么权限?
  • 角色的信任/承担角色策略应该是什么?
  • 创建此角色后,我是否缺少其他任何东西来让此 Codepipeline 操作正常工作?

我在网上找到了一些跨账户部署的示例,但找不到以这种方式记录 IAM 角色创建的 ECS 部署示例。 Codepipeline 自己的文档和其他一些跨帐户部署示例显示了一个只能访问 S3 的角色,而不是我正在部署的角色。

【问题讨论】:

    标签: amazon-web-services amazon-iam amazon-ecs aws-cdk aws-codepipeline


    【解决方案1】:

    几周前我在 Terraform 中做了这件事,很高兴能提供帮助。我发现this article on codepipeline是我能找到的关于如何做到这一点的最全面的例子。您需要一个可以由您的代码管道所在的帐户承担的代码管道角色,以及一个可以由代码部署服务承担的代码部署角色。我也没有使用 S3 进行部署,但权限仍然存在。

    下面是我的 Terraform 代码:

    resource "aws_iam_role" "codepipeline_cross_account" {
      name = "codepipeline-cross-account"
    
      assume_role_policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Action = "sts:AssumeRole"
            Effect = "Allow"
            Sid    = ""
            Principal = {
              AWS = "arn:aws:iam::<account_id_of_codepipeline_acct>:root"
            }
          }
        ]
      })
    
      inline_policy {
        name = "codedeploy"
    
        policy = jsonencode({
          Version = "2012-10-17"
          Statement = [
            {
              Effect : "Allow",
              Action : [
                "codedeploy:GetDeploymentConfig",
                "codedeploy:GetApplicationRevision",
                "codedeploy:RegisterApplicationRevision",
                "codedeploy:GetApplication",
                "codedeploy:GetDeployment",
                "codedeploy:CreateDeployment"
              ],
              Resource : "*"
            },
            {
              Effect : "Allow",
              Action : [
                "kms:DescribeKey",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:Decrypt"
              ],
              Resource : "<kms_arn>"
            },
            {
              Effect : "Allow",
              Action : [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetObjectTagging",
                "s3:GetObjectVersionTagging"
              ],
              Resource : "<s3_arn>/*"
            },
            {
              Effect : "Allow",
              Action : [
                "ecs:RegisterTaskDefinition"
              ],
              Resource : "*"
            },
            {
              Effect : "Allow",
              Action : [
                "iam:PassRole"
              ],
              Resource : <ecs_task_execution_role_arn_goes_here>
            }
          ]
        })
      }
    }
    
    resource "aws_iam_role" "ecs_deploy" {
      name = "ecs-deploy"
    
      managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS"]
    
      assume_role_policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Action = "sts:AssumeRole"
            Effect = "Allow"
            Sid    = ""
            Principal = {
              Service = "codedeploy.amazonaws.com"
            }
          }
        ]
      })
    }
    

    然后,当您在应用程序帐户中创建部署组时,您将引用上面的 ECS 部署角色作为服务角色。这将允许您的管道部署到它。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-01-25
      • 1970-01-01
      • 2017-03-16
      • 1970-01-01
      • 2022-09-24
      • 1970-01-01
      • 1970-01-01
      • 2017-10-01
      相关资源
      最近更新 更多