[英]AWS CDK deploy using role
You can find the cdk app that you can use to replicate my issue here varvay/issue-replication.git .您可以在此处找到可用于复制我的问题的 cdk 应用程序varvay/issue-replication.git 。 The usage instruction explained in the
README
README
中解释的使用说明
I need to deploy CDK app using a role by issuing this command我需要通过发出此命令使用角色部署 CDK 应用程序
cdk -r arn:aws:iam::000000000000:role/fooRole deploy
but then an error thrown但随后抛出错误
Assuming role failed: User: arn:aws:iam::000000000000:user/fooUser is not authorized to
perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/barRole
to be sure, I tried to simulate it by assuming the arn:aws:iam::000000000000:role/barRole
role using arn:aws:iam::000000000000:role/fooRole
in AWS IAM Policy Simulator and it works just fine.可以肯定的是,我尝试通过在 AWS IAM 策略模拟器中使用
arn:aws:iam::000000000000:role/fooRole
假设arn:aws:iam::000000000000:role/barRole
角色来模拟它,它工作得很好。 One thing that bothers me is that the error said that a User
tried to assume the role, not Role
.困扰我的一件事是错误表示
User
试图承担角色,而不是Role
。
Why is that?这是为什么? or should I assume the
fooRole
, update the AWS-related environment variable and then deploy?或者我应该假设
fooRole
,更新与 AWS 相关的环境变量然后部署? if so then what's the point of having -r
option on cdk
如果是这样,那么在
cdk
上使用-r
选项有什么意义
as additional information, here's the trust relationship of the barRole
作为附加信息,这里是
barRole
的信任关系
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: 000000000000:root"
},
"Action": "sts:AssumeRole"
}
]
}
also I even tried to attach AdministratorAccess
AWS managed policy to the fooRole
used to deploy我什至还尝试将
AdministratorAccess
AWS 托管策略附加到用于部署的fooRole
So there are 2 ways you might be running cdk deploy
command from.因此,您可以通过两种方式运行
cdk deploy
命令。
1- You're running this command from your local computer's CLI using IAM keys. 1- 您正在使用 IAM 密钥从本地计算机的 CLI 运行此命令。 In this case, this role must be assumable by the AWS account (IAM User) being used.
在这种情况下,此角色必须可由所使用的 AWS 账户(IAM 用户)担任。
2- You're running this command from any AWS service (cicd agent on EC2 instance for eg:) then the role attached with the instance should be allowed to assume this deployment role. 2-您正在从任何 AWS 服务(例如 EC2 实例上的 cicd 代理)运行此命令,然后应允许与实例关联的角色承担此部署角色。
mention how you're running this command and you might get a better answer.提及您如何运行此命令,您可能会得到更好的答案。
UPDATE: Based on the updated question:更新:基于更新的问题:
Add assume role
part in your IAM USER not your deployment role.在您的 IAM USER 中添加
assume role
部分,而不是您的部署角色。 Your IAM User from which you're trying to deploy should be allowed to assume the role through which the CDK will be deployed.应允许您尝试部署的 IAM 用户担任部署 CDK 的角色。
To diagramise it a bit:稍微图解一下:
(IAM-USER -> Assume -> Role) -> cdk deploy
The error is in the process of cross account role accessing, as is written in your error message.如您的错误消息中所写,错误是在跨帐户角色访问的过程中。
I assume that you start with AWS configuration for one account, lets call it "Provisioning" and then you need to assume role in different account (dev or prod) depending on branches or something ?我假设您从一个账户的 AWS 配置开始,我们称之为“配置”,然后您需要根据分支或其他东西在不同的账户(开发或产品)中担任角色?
I smell an error in setup of cross account roles.我在设置跨账户角色时闻到了错误。 https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
One possibility is : the Rolle you want to assume, does not have your provisioning account as trusted entity.一种可能性是:您想假设的 Rolle 没有您的配置帐户作为受信任的实体。
Another is : the user which is trying to assume the role, does not have the policy for that.另一个是:试图承担角色的用户没有相应的政策。
Just follow the tutorial from AWS and see what is missing in your setup :)只需按照 AWS 的教程,看看您的设置中缺少什么 :)
I managed to fulfill my needs by creating a bash script to switch to the destination role and use the credential to perform the CDK command as the script written below,我通过创建 bash 脚本来切换到目标角色并使用凭据执行 CDK 命令来满足我的需求,如下所示,
#!/bin/bash
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
AWS_CREDENTIAL=$(aws sts assume-role \
--role-arn <destination role ARN> \
--role-session-name <role session name> \
--duration-seconds 3600)
export AWS_ACCESS_KEY_ID=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $AWS_CREDENTIAL \
| jq -r '.Credentials''.SessionToken')
cdk deploy
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.