[英]AWS Codepipeline with a Codecommit targetsource repository from another account
Is it possible to create a codepipeline that has a target source of a CodeCommit Repository in another account?是否可以在另一个帐户中创建一个具有 CodeCommit 存储库目标源的代码管道?
I just had to do this, I'll explain the process.我只需要这样做,我会解释这个过程。
Account C is the account with your CodeCommit repository.账户 C 是您的 CodeCommit 存储库所在的账户。 Account P is the account with your CodePipeline... pipelines.
账户 P 是您的 CodePipeline... 管道的账户。
In Account P:在帐户 P 中:
Create an AWS KMS Encryption Key and add Account C with having access (guide here in pre-requisite step).创建 AWS KMS 加密密钥并添加具有访问权限的账户 C(先决条件步骤中的此处指南)。 You will also need to add the CodePipeline role, and if you have a CodeBuild and CodeDeploy step add those roles too.
您还需要添加 CodePipeline 角色,如果您有 CodeBuild 和 CodeDeploy 步骤,也请添加这些角色。
In your CodePipeline artifacts S3 bucket you need to add Account C access.在您的 CodePipeline 工件 S3 存储桶中,您需要添加帐户 C 访问权限。 Go to the Bucket Policy and add:
转到存储桶策略并添加:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
Change ACCOUNTC_ID
to the account ID of Account C, and change YOUR_BUCKET_NAME
to the CodePipeline artifact S3 bucket name.将
ACCOUNTC_ID
更改为账户 C 的账户 ID,并将YOUR_BUCKET_NAME
更改为 CodePipeline 工件 S3 存储桶名称。
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNTC_ID:role/*"
]
}
}
Again, change ACCOUNTC_ID
to the account ID of Account C.同样,将
ACCOUNTC_ID
更改为账户 C 的账户 ID。
In Account C:在帐户 C 中:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl",
"codecommit:ListBranches",
"codecommit:ListRepositories"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YOUR_KMS_ARN"
]
}
]
}
Replace bucket name and KMS ARN in the above policy.替换上述策略中的存储桶名称和 KMS ARN。 Save the policy as something like CrossAccountPipelinePolicy.
将该策略另存为类似 CrossAccountPipelinePolicy 的内容。
In AWS CLI You can't do this bit in the console so you have to use the AWS CLI.在 AWS CLI中 您无法在控制台中执行此操作,因此您必须使用 AWS CLI。 This will be to get your CodePipeline in AccountP to assume the role in the Source step and dump it in the S3 bucket for all your next steps to use.
这将使您在 AccountP 中的 CodePipeline 承担源步骤中的角色,并将其转储到 S3 存储桶中以供所有后续步骤使用。
aws codepipeline get-pipeline --name NameOfPipeline > pipeline.json
Modify the pipeline json so it looks a bit like this and replace the bits that you need to:修改管道 json,使其看起来有点像这样并替换您需要的位:
"pipeline": {
"name": "YOUR_PIPELINE_NAME",
"roleArn": "arn:aws:iam::AccountP_ID:role/ROLE_NAME_FOR_CODE_PIPELINE",
"artifactStore": {
"type": "S3",
"location": "YOUR_BUCKET_NAME",
"encryptionKey": {
"id": "arn:aws:kms:YOUR_KMS_KEY_ARN",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountC_ID:role/ROLE_NAME_WITH_CROSS_ACCOUNT_POLICY",
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "YOURREPOSITORYNAME"
},
"outputArtifacts": [
{
"name": "MyApp"
}
],
"inputArtifacts": []
}
]
},
Update the pipeline with aws codepipeline update-pipeline --cli-input-json file://pipeline.json
使用
aws codepipeline update-pipeline --cli-input-json file://pipeline.json
Verify it works by running the pipeline.通过运行管道来验证它是否有效。
Yes, it should be possible.是的,这应该是可能的。 Follow these instructions: http://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
按照这些说明操作:http: //docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
You can deploy resources using pipeline with codecommit repository in another account.您可以在另一个帐户中使用带有 codecommit 存储库的管道来部署资源。
Let's say you have Account A where your codecommit repository sits, and Account B where you codepipeline sits.假设您在 codecommit 存储库所在的位置有帐户 A,在 codepipeline 所在的位置有帐户 B。
Configure the following in account B:在帐户 B 中配置以下内容:
You would need to create custom KMS key because AWS Default Key does not have an associated Key policy.您需要创建自定义 KMS 密钥,因为 AWS 默认密钥没有关联的密钥策略。 You can use Create a Pipeline in CodePipeline That Uses Resources from Another AWS Account if you need assistance with creating CMK.
如果您在创建 CMK 方面需要帮助,可以使用在使用来自另一个 AWS 账户的资源的 CodePipeline 中创建管道。 Add the Codepipeline service role to the KMS Key Policy to allow the codepipeline to use it.
将 Codepipeline 服务角色添加到 KMS 密钥策略以允许 codepipeline 使用它。
Event bus for receiving events from cross account Go to CloudWatch → Event Buses under Events section → Add Permission → Enter DEV AWS Account Id → Add.用于从跨账户接收事件的事件总线转到 CloudWatch → 事件部分下的事件总线 → 添加权限 → 输入 DEV AWS 账户 ID → 添加。 For more details, check Creating an Event Bus
有关详细信息,请查看创建事件总线
Add the following Policy to S3 pipeline Artifact store:将以下策略添加到 S3 管道工件存储:
{ “Version”: “2012–10–17”, “Id”: “PolicyForKMSAccess”, “Statement”: [ { “Sid”: “AllowAccessFromAAccount”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::ACCOUNT_A_ID:root” }, “Action”: [ “s3:Get*”, “s3:Put*”, "s3:ListBucket ], “Resource”: “arn:aws:s3:::NAME-OF-THE-BUCKET/*” } ] }
Edit the Pipeline IAM rols to assume role to Account A as follows:编辑 Pipeline IAM 角色以承担账户 A 的角色,如下所示:
{ “Version”:“2012–10–17”, “Statement”:{ “Effect”:“Allow”, “Action”:“sts:AssumeRole”, “Resource”:[ “arn:aws:iam::ACCOUNT_A_ID:role/* ] } }
Now, do the following in Account A:现在,在账户 A 中执行以下操作:
Create a cross account IAM role with 3 policies.创建具有 3 个策略的跨账户 IAM 角色。 a) AWSCodeCommitFullAccess
a) AWSCodeCommitFullAccess
b) Inline Policy to assume role to Account B as follows: b) 对账户 B 承担角色的内联策略如下:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Principal”:{
“AWS”:“arn:aws:iam::ACCOUNT_B_ID:root”
},
“Action”:“sts:AssumeRole”
}
]
}
c)Inline policy for KMS, CodeCommit and S3 access: c) KMS、CodeCommit 和 S3 访问的内联策略:
{
“Version”:“2012–10–17”,
“Statement”:[
{
“Effect”:“Allow”,
“Action”:[
“s3:Get*”,
“s3:Put*”,
“codecommit:*”
],
“Resource”:[
“arn:aws:s3:::YOUR_BUCKET_NAME_IN_B_FOR_CODE_PIPELINE_ARTIFACTS/”
]
},
{
“Effect”:“Allow”,
“Action”:[
“kms:*" ],
“Resource”: [ “arn:aws:kms:YOUR_KMS_ARN_FROM_B_ACCOUNT” ] } ] }
2. Update your pipeline as @Eran Medan suggested. 2. 按照@Eran Medan 的建议更新您的管道。
For more details, please visit AWS CodePipeline with a Cross-Account CodeCommit Repository有关更多详细信息,请访问带有跨账户 CodeCommit 存储库的 AWS CodePipeline
Also, please note that I have given a lot more permissions than required for example codecommit:* and kms:*, you can alter them as per your needs.另外,请注意,我已经授予了比所需更多的权限,例如 codecommit:* 和 kms:*,您可以根据需要更改它们。
I hope this will help.我希望这将有所帮助。
It is possible to build and trigger multiple codepipelines in different accounts with one central codecommit repository from another AWS account based on the branches of the repository. 可以使用基于一个中央代码提交存储库的存储库中的分支,从另一个AWS账户中的一个中央代码提交存储库中构建和触发多个代码管道。 You need to make sure the cross account IAM roles are in place, event buses need to be configured to receive events from cross accounts and also KMS permissions should be in place as well.
您需要确保交叉帐户IAM角色到位,事件总线需要配置为从交叉帐户接收事件,并且还必须具有KMS权限。 Here is an article which covers exactly what you need: AWS Codepipeline with Cross Account CodeCommit Repo Hope it helps.
这是一篇文章,涵盖了您的确切需求: 带有交叉账户CodeCommit回购的AWS Codepipeline希望它能有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.