[英]How to securely pull code from an aws s3 bucket to a Codecommit repository using Cloudformation?
Within AWS, I am able to successfully pull code from an existing S3 bucket into a new repo within Codecommit upon stack creation of a pipeline in Cloudformation (using a YAML file). 在AWS中,我可以在Cloudformation中创建管道堆栈(使用YAML文件)时成功将代码从现有S3存储桶中提取到Codecommit中的新存储库中。
This works perfectly, but I hope to make sure the S3 bucket itself is private and not public, and want some sort of auth system to ensure that for a user to properly pull code from my s3 bucket, they need to supply the correct auth into cloudformation for it to properly populate the Codecommit repo. 这很好用,但我希望确保S3存储桶本身是私有的而不是公共的,并且想要某种auth系统来确保用户正确地从我的s3存储桶中提取代码,他们需要提供正确的auth用于正确填充Codecommit存储库的cloudformation。
Which AWS service is best for me to do this? 哪种AWS服务最适合我这样做? I was thinking of using an API gateway with Lambda authorizer, but I am interested in other AWS services that might make this easier.
我正在考虑使用带有Lambda授权器的API网关,但我对其他可能使这更容易的AWS服务感兴趣。
Does AWS Roles
suit your needs? AWS Roles
是否适合您的需求? You can attach a role to S3 which allows users to download code: 您可以将角色附加到S3,允许用户下载代码:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS: [
"arn:aws:iam::AWS-account-ID:user/user-name-1",
"arn:aws:iam::AWS-account-ID:user/user-name-2",
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR_BUCKET/SOME/PATH"
}
]
}
and/or if you don't have predefined users, you can allow Lambda to assume such role, as explained here , and return credentials via API gateway with Lambda authorizer. 和/或如果你没有预定的用户,可以允许lambda来承担这样的角色,如解释在这里 ,并通过与LAMBDA授权API网关返回凭证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.