stackoom
  简体   繁体   中英

Cross-Region access to CodeCommit repository from CodePipeline

 原文  2019-08-03 15:08:41       amazon-web-services/ amazon-cloudformation/ aws-codepipeline/ aws-codecommit

Question

I am building a CodePipeline using CloudFormation. The pipeline is deployed to the eu-west-1 region however it must get the source code from the CodeCommit repository that is located in the us-east-1 region.

The pipeline definition looks like this: 

CodePipeline:
  Type: AWS::CodePipeline::Pipeline
  Properties:
    Name: !Ref PipelineName
    RoleArn: !GetAtt CodePipelineServiceRole.Arn
    Stages:
      - Name: Source
        Actions:
          - Name: Source
            ActionTypeId:
              Category: Source
              Owner: AWS
              Provider: CodeCommit
              Version: 1
            OutputArtifacts:
              - Name: SourceCodeOutputArtifact
            Configuration:
              RepositoryName: !Ref MyRepository
              BranchName: !Ref DeploymentBranch
            RunOrder: 1
            Region: us-east-1

The attached role and policy looks like this: 

CodePipelineServiceRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Action:
            - sts:AssumeRole
          Principal:
            Service:
              - codepipeline.amazonaws.com

CodePipelineServicePolicy:
  Type: AWS::IAM::Policy
  Properties:
    PolicyName: CodePipelineServicePolicy
    Roles:
      - !Ref CodePipelineServiceRole
    PolicyDocument:
      Version: 2012-10-17
      Statement:
......
        - Effect: Allow
          Action:
            - codecommit:BatchGet*
            - codecommit:BatchDescribe*
            - codecommit:Get*
            - codecommit:Describe*
            - codecommit:List*
            - codecommit:GitPull
          Resource: !Sub "arn:aws:codecommit:us-east-1:${AWS::AccountId}:MyRepository*"

Alas, the code pipeline still don't have access to my repository in the us-east-1 , or it is looking for it in the incorrect region, and as a result I'm getting the following error 

The service role or action role doesn’t have the permissions required to access the AWS CodeCommit repository named MyRepository. Update the IAM role permissions, and then try again. Error: User: arn:aws:sts::111111111111:assumed-role/MyPipeline-CodePipelineServiceRole-N996SC3JYINW/1564844186052 is not authorized to perform: codecommit:GetBranch on resource: arn:aws:codecommit:eu-west-1:111111111111:MyRepository

Any help would be greatly appreciated.

Edit: I know that I can replicate the repo to another region but I am wondering is there any way to do what I want to do without replicating the repo to another region?

1 answers

solution1
 0  2019-08-12 09:33:33

You need to replicate the codecommit to the other region. You can do it by using a CI Job, a scheduled container in ECS or Fargate.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cross-Region DynamoDB Access Cross-region access to database on AWS Restrict access to Cross-region ec2 instances amazon Cross-Region Secrets Manager Access in Serverless Framework Template CloudFormation Cross-Region Reference AWS Codepipeline with a Codecommit targetsource repository from another account AWS Cross-Account, Cross-Region (to China) access? No Lambda in CN - alternatives? Active -Active Cross-Region Redis Replication AWS RDS MySQL Cross-region replication Avoid cross-region call on RDS instance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM