堆栈内存溢出
  简体   繁体   English

AWS CDK:如何在另一个账户中访问 VPC

[英]AWS CDK: How to access VPC in another account

 原文  2020-05-25 07:08:13       amazon-web-services/ aws-cdk

问题描述

I need access to resources in my staging/prod accounts' VPC from my "tools" account (I have an RDS instance sitting in each of both VPCs and want to automate schema upgrades as part of my CI/CD).我需要从我的“工具”账户访问我的暂存/生产账户的 VPC 中的资源(我在两个 VPC 中都有一个 RDS 实例,并且希望将架构升级自动化作为我的 CI/CD 的一部分)。

How can I import a VPC from the staging/prod account within a stack in the "tools" accounts?如何从“工具”账户的堆栈中的暂存/生产账户导入 VPC?

Vpc.fromLookup() does not work since it searches for VPCs in the stack's region and account, but not in other regions/accounts. Vpc.fromLookup()不起作用,因为它在堆栈的区域和帐户中搜索 VPC,但不在其他区域/帐户中搜索。

EDIT:编辑:

I want to give a CodeBuild project (part of a CodePipeline) in the "tools" account access to the RDS instance in the VPC of the prod/staging accounts.我想在“工具”帐户中授予 CodeBuild 项目(CodePipeline 的一部分)对生产/登台帐户的 VPC 中的 RDS 实例的访问权限。 To give it access, I use the vpc attribute on the CodeBuild project.为了授予它访问权限,我在 CodeBuild 项目中使用了vpc属性

I'm not sure what's the best way to tackle schema upgrades using CodePipeline/CodeBuild.我不确定使用 CodePipeline/CodeBuild 解决架构升级的最佳方法是什么。 Ideally, the RDS instance should be sitting in a private/isolated subnet.理想情况下,RDS 实例应该位于私有/隔离子网中。

const dbMigrateBuild = new codebuild.PipelineProject(this, 'MigrateBuild', {
  buildSpec: codebuild.BuildSpec.fromSourceFilename('buildspec-migrate.yml'),
  environment: {
    buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
  },
  environmentVariables: {
    migrationBucketId: {
      type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
      value: sourceOutput.bucketName,
    },
    dbEndpoint: {
      type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
      value: dbEndpoint,
    },
    dbSecretId: {
      type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
      value: dbSecretId,
    },
  },
  vpc: ec2.Vpc.fromLookup(this, 'Vpc', { vpcId }), // <-- this is not working
});

// dbMigrateBuild.connections.allowToDefaultPort(db); // how to grant permission ??

const dbMigrateAction = new codepipeline_actions.CodeBuildAction({
  actionName: 'Db_Migrate',
  project: dbMigrateBuild,
  input: sourceOutput,
  runOrder: 130,
});

1 个解决方案

解决方案1
 0 已采纳  2020-05-25 07:16:35

For this you would need to do one of the following:为此,您需要执行以下操作之一:

  • Assume a role from the "other account".从“其他帐户”担任角色。
  • Use the credentials from assuming this role to retrieve your values, by performing an export of the variables on the CLI.通过在 CLI 上执行变量导出,使用担任此角色的凭据来检索您的值。

This has to be performed before you run the cdk commands, using the sts assume-role command.这必须在运行 cdk 命令之前使用 sts assume-role命令执行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS CDK Lookup 一个对等 VPC 在另一个账户中 - AWS CDK Lookup one peered VPC in another account 如何配置 AWS CDK 账户和区域以查找 VPC - How to configure AWS CDK Account and Region to look up a VPC 如何在 aws cdk 中导入现有 VPC? - How to import existing VPC in aws cdk? 通过 AWS CDK Typescript 的 VPC 对等互连(2 个 VPCS 在 2 个不同的账户中) - VPC peering (2 VPCS are in 2 different account) via AWS CDK Typescript 无法在 AWS cdk 中导入 VPC - Unable to import VPC in AWS cdk 如何将 VPC 和安全组分配给 AWS CDK 中的 Lambda? - How do you assign a VPC and security group to a Lambda in AWS CDK? 如何在 AWS CDK 中引用现有 VPC 终端节点? - How can I reference an existing VPC Endpoint in AWS CDK? 如何使用 AWS CDK 将 Internet 网关添加到 VPC? - How to add an Internet Gateway to a VPC using AWS CDK? 如何使用 AWS CDK 检查自定义 VPC 是否已存在? - How to check if a custom VPC already exist using AWS CDK? 如何将默认 VPC 导入 CloudFormation 堆栈并使用 AWS CDK 重新创建它? - How to import default VPC into CloudFormation stack and recreate it with AWS CDK?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM