洞察探索open banking如何通过小程序容器技术助力金融企业实现数据安全和数字化转型
664
2022-08-28
AWS CodePipeLine 跨账号部署ECS
简述:
A 账号codepipeline 部署业务到B账号上的ECS Fargate
下面的资源没有的话请手动创建一下,默认创建即可
A账号资源:
1、codepipeline project
2、KMS KEY
3、S3 (临时共享KMS用)
B账号资源:
1、ECS Fargate
步骤:
1、B账号创建跨账号角色
XXXXXXXX为A账号的数字ID
codepipeline-1234567890为A账号的存储桶
"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625" 为A账号的KMS KEY ARN
创建B账号的跨账号角色(CrossAccount_Role)
crossAccout_role.tf
resource "aws_iam_role" "crossrole" { name = "CrossAccount_Role" assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{{A账号的数字ID}}:root" }, "Action": "sts:AssumeRole", "Condition": {} } ]}) inline_policy { name = "cross_role_inline_policy" policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecr:*", "ecs:*", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:Put*", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::codepipeline-1234567890/*", "arn:aws:s3:::codepipeline-1234567890" ] }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:{{A账号的数字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625" ] } ]})}}
terraform apply .
2、给A账号的S3增加CrossAccount_Role权限:
Amazon S3/Buckets/codepipeline-1234567890
选择permissions菜单,
在
Bucket policy菜单里输入下面的权限规则保存
{ "Version": "2012-10-17", "Id": "SSEAndSSLPolicy", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::{{B账号的数字ID}}:root", ] }, "Action": [ "s3:Get*", "s3:Put*", "s3:ListBucket" ], "Resource": "arn:aws:s3:::codepipeline-1234567890/*" } ]}
3、给A账号的KMS KEY增加跨账号权限:
打开KMS 选找到对应的KEY页面,没有KEY则创建一个,在key Policy下的
输入B的数字ID 保存:
arn:aws:iam::{{B账号的数字ID}}:root
4、导出codepipeline信息:
aws codepipeline get-pipeline --name ecs-pipeline >pipeline.json
vim pipeline.js{ "name": "Deploy", "actions": [ { "name": "Deploy", "actionTypeId": { "category": "Deploy", "owner": "AWS", "provider": "ECS", "version": "1" }, "runOrder": 3, "roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role", "configuration": { "ClusterName": "fargate-cluster", "DeploymentTimeout": "30", "FileName": "imagedefinitions.json", "ServiceName": "webservice" }, "outputArtifacts": [], "inputArtifacts": [ { "name": "BuildArtifact" } ], "region": "us-east-1", "namespace": "DeployVariables" } ] } 主要是增加了执行角色: "roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role"
5、更新一下codepipeline
aws codepipeline update-pipeline --cli-input-json file://pipeline.json
注意:ECS的task-execution角色需要有读取KMS权限及执行权限
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~