AWS CodePipeLine 跨账号部署ECS

AWS CodePipeLine 跨账号部署ECS

简述:

A 账号codepipeline 部署业务到B账号上的ECS Fargate

下面的资源没有的话请手动创建一下，默认创建即可

A账号资源：

1、codepipeline  project

2、KMS KEY

3、S3  （临时共享KMS用）

B账号资源：

1、ECS Fargate

步骤：

1、B账号创建跨账号角色

XXXXXXXX为A账号的数字ID

codepipeline-1234567890为A账号的存储桶

"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625"  为A账号的KMS KEY ARN

创建B账号的跨账号角色（CrossAccount_Role）

crossAccout_role.tf

resource "aws_iam_role" "crossrole" { name = "CrossAccount_Role" assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{{A账号的数字ID}}:root" }, "Action": "sts:AssumeRole", "Condition": {} } ]}) inline_policy { name = "cross_role_inline_policy" policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecr:*", "ecs:*", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:Put*", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::codepipeline-1234567890/*", "arn:aws:s3:::codepipeline-1234567890" ] }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:{{A账号的数字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625" ] } ]})}}

terraform apply .

2、给A账号的S3增加CrossAccount_Role权限：

Amazon S3/Buckets/codepipeline-1234567890

选择permissions菜单，

在

Bucket policy菜单里输入下面的权限规则保存

{ "Version": "2012-10-17", "Id": "SSEAndSSLPolicy", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::{{B账号的数字ID}}:root", ] }, "Action": [ "s3:Get*", "s3:Put*", "s3:ListBucket" ], "Resource": "arn:aws:s3:::codepipeline-1234567890/*" } ]}

3、给A账号的KMS KEY增加跨账号权限：

打开KMS 选找到对应的KEY页面，没有KEY则创建一个，在key Policy下的

输入B的数字ID 保存：

arn:aws:iam::{{B账号的数字ID}}:root

4、导出codepipeline信息：

aws codepipeline get-pipeline --name ecs-pipeline >pipeline.json

vim pipeline.js{ "name": "Deploy", "actions": [ { "name": "Deploy", "actionTypeId": { "category": "Deploy", "owner": "AWS", "provider": "ECS", "version": "1" }, "runOrder": 3, "roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role", "configuration": { "ClusterName": "fargate-cluster", "DeploymentTimeout": "30", "FileName": "imagedefinitions.json", "ServiceName": "webservice" }, "outputArtifacts": [], "inputArtifacts": [ { "name": "BuildArtifact" } ], "region": "us-east-1", "namespace": "DeployVariables" } ] } 主要是增加了执行角色： "roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role"

5、更新一下codepipeline

aws codepipeline update-pipeline --cli-input-json file://pipeline.json

注意：ECS的task-execution角色需要有读取KMS权限及执行权限

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。