[英]How to tell teamcity agent, which aws account to run terraform to
I spun up TeamCity into a Kube.netes cluster.我将 TeamCity 启动到一个 Kube.netes 集群中。 I have one deployment for the TeamCity server and one deployment for the TeamCity build agent.
我有一个用于 TeamCity 服务器的部署和一个用于 TeamCity 构建代理的部署。 When I run Terraform on the TeamCity build agent, it creates resources in the same AWS account as the EC2 instance which is hosting TeamCity Kube.netes cluster.
当我在 TeamCity 构建代理上运行 Terraform 时,它会在与托管 TeamCity Kube.netes 集群的 EC2 实例相同的 AWS 账户中创建资源。
I would like to run a build, which creates AWS resources in a separate AWS account.我想运行一个构建,它在单独的 AWS 账户中创建 AWS 资源。 My thinking is to assign an AWS access key and secret key to the TeamCity server and pass them to the TeamCity build agent, but I don't know how the work flow is going to be.
我的想法是将 AWS 访问密钥和密钥分配给 TeamCity 服务器并将它们传递给 TeamCity 构建代理,但我不知道工作流程将如何进行。
Currently, I have declared AWS access key and secret keys as environment variables on the build but they are not getting passed to agent.目前,我已经在构建中将 AWS 访问密钥和秘密密钥声明为环境变量,但它们没有传递给代理。 My build steps only contains 3 lines
我的构建步骤只包含 3 行
terraform init
terraform plan
terraform apply -auto-approve
I dealt with a very similar situation.我处理了一个非常相似的情况。 When we started using AWS, we did not follow best practice around how our scripts authenticate to AWS.
当我们开始使用 AWS 时,我们并没有遵循关于我们的脚本如何向 AWS 进行身份验证的最佳实践。
We created users in each account and exported the access and secret keys into our TeamCity build automation to allow our scripts to run in the context of these accounts.我们在每个帐户中创建了用户,并将访问密钥和秘密密钥导出到我们的 TeamCity 构建自动化中,以允许我们的脚本在这些帐户的上下文中运行。
You will wind up with several users in different accounts and will wind up manually rotating the keys for these users, then updating the access and secret keys in TeamCity everytime you need to rotate the keys.您最终会在不同的帐户中拥有多个用户,并且最终会为这些用户手动轮换密钥,然后在每次需要轮换密钥时更新 TeamCity 中的访问密钥和秘密密钥。
As the TeamCity build agent servers are EC2 instances, it is best practice in AWS to use roles instead of users in situations like this.由于 TeamCity 构建代理服务器是 EC2 实例,AWS 中的最佳实践是在这种情况下使用角色而不是用户。 From the AWS documentation:
来自 AWS 文档:
Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services.
在 Amazon EC2 实例上运行的应用程序需要凭据才能访问其他 AWS 服务。 To provide credentials to the application in a secure way, use IAM roles.
要以安全方式向应用程序提供凭证,请使用 IAM 角色。 A role is an entity that has its own set of permissions, but that isn't a user or group.
角色是拥有自己的一组权限的实体,但它不是用户或组。 Roles also don't have their own permanent set of credentials the way IAM users do.
角色也不像 IAM 用户那样拥有自己的永久凭证集。 In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you.
对于 Amazon EC2,IAM 动态地为 EC2 实例提供临时凭证,这些凭证会自动为您轮换。
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2资料来源: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2
What you should do in this situation is create a role in each account that has access to create the resources that terraform will build.在这种情况下,您应该做的是在每个帐户中创建一个角色,该角色有权创建 terraform 将构建的资源。 You will need another role for the TeamCity build agent servers, this role should be able to assume the roles created in each account.
您将需要另一个角色用于 TeamCity 构建代理服务器,该角色应该能够承担在每个帐户中创建的角色。
Let's say you have two accounts:假设您有两个帐户:
What you will need is:你需要的是:
The instance profile of the role in AccountB should be assigned to the TeamCity build agent servers. AccountB 中角色的实例配置文件应分配给 TeamCity 构建代理服务器。 The build agent servers are then able to assume the role in AccountA and run in the context of that account with the permissions they need without the need for hard-coded access and secret keys.
然后,构建代理服务器能够承担 AccountA 中的角色,并在该帐户的上下文中运行,并获得所需的权限,而无需硬编码访问权限和密钥。
You can repeat this process for as many other accounts as you want to build resources in through Terraform.您可以通过 Terraform 对任意数量的其他帐户重复此过程以在其中构建资源。
You will have to add the following block to the aws provider in your terraform scripts to let terraform know what role to assume:您必须将以下块添加到 terraform 脚本中的 aws 提供商,让 terraform 知道要承担什么角色:
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::<ACCOUNTA>:role/<ROLENAME>"
}
}
Here is some AWS documentation on how to grant access to an S3 bucket in a different account from an EC2 instance: https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/以下是一些关于如何从 EC2 实例授予对不同账户中 S3 存储桶的访问权限的 AWS 文档: https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/
Another useful documentation page on that covers IAM Roes, EC2 instance profiles & cross account access via Roles is here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html另一个涵盖 IAM Roes、EC2 实例配置文件和通过角色进行跨账户访问的有用文档页面位于: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
One last link goes through exactly what you are trying to do: https://blog.e-zest.com/aws-ec2-assume-role-with-terraform最后一个链接正是您要执行的操作: https://blog.e-zest.com/aws-ec2-assume-role-with-terraform
My agent.yml file looks like this when i want to add two annotations for 2 separate accounts当我想为 2 个单独的帐户添加两个注释时,我的 agent.yml 文件看起来像这样
spec: replicas: 1 selector: matchLabels: app: agent-pod template: metadata: annotations: iam.amazonaws.com/role: arn:aws:iam::account:role/accoun1-s3-role iam.amazonaws.com/role: arn:aws:iam::account:role/account2-pods-s3-role规格:副本:1 选择器:匹配标签:应用程序:代理 Pod 模板:元数据:注释:iam.amazonaws.com/role:arn:aws:iam::account:role/accoun1-s3-role iam.amazonaws.com/角色:arn:aws:iam::account:role/account2-pods-s3-role
but as soon as i put two annotation, my sts assume role for pod only shows me second role.但是一旦我放了两个注释,我的 sts assume role for pod 就只显示我的第二个角色。 and when i run the build from teamcity i get this error no valid credential sources found for aws provider
当我从 teamcity 运行构建时,出现此错误,找不到 aws 提供程序的有效凭证源
Security best practices regarding TeamCity + AWS org with multiple accounts:具有多个账户的 TeamCity + AWS 组织的安全最佳实践:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.