带有Codecommit目标源存储库的AWS Codepipeline来自另一个帐户 [英] AWS Codepipeline with a Codecommit targetsource repository from another account
问题描述
是否可以创建一个代码管道,该代码管道在另一个帐户中具有CodeCommit存储库的目标源?
Is it possible to create a codepipeline that has a target source of a CodeCommit Repository in another account?
推荐答案
我只是
帐户C是您的CodeCommit存储库的帐户。
帐户P是具有您的CodePipeline ...管道的帐户。
Account C is the account with your CodeCommit repository. Account P is the account with your CodePipeline... pipelines.
在帐户P中:
-
创建一个AWS KMS加密密钥并添加具有访问权限的账户C(指南此处)。您还需要添加CodePipeline角色,并且如果您具有CodeBuild和CodeDeploy步骤,也需要添加这些角色。
Create an AWS KMS Encryption Key and add Account C with having access (guide here in pre-requisite step). You will also need to add the CodePipeline role, and if you have a CodeBuild and CodeDeploy step add those roles too.
在您的CodePipeline构件S3存储桶中,您需要添加帐户C访问权限。转到存储桶策略并添加:
In your CodePipeline artifacts S3 bucket you need to add Account C access. Go to the Bucket Policy and add:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
更改 ACCOUNTC_ID 更改为帐户C的帐户ID,并将 YOUR_BUCKET_NAME 更改为CodePipeline项目S3存储桶名称。
Change ACCOUNTC_ID to the account ID of Account C, and change YOUR_BUCKET_NAME to the CodePipeline artifact S3 bucket name.
- 向您的CodePipeline服务角色添加策略,以便您可以访问帐户C和CodeCommit存储库:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNTC_ID:role/*"
]
}
}
再次将 ACCOUNTC_ID 更改为帐户C的帐户ID。
Again, change ACCOUNTC_ID to the account ID of Account C.
在帐户C中:
- 创建一个IAM策略,使帐户P可以访问CodeCommit资源,以及KMS密钥,因此它可以使用与CodePipeline其余代码相同的密钥对其进行加密:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl",
"codecommit:ListBranches",
"codecommit:ListRepositories"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YOUR_KMS_ARN"
]
}
]
}
在上述策略中替换存储桶名称和KMS ARN。将策略另存为CrossAccountPipelinePolicy之类的东西。
Replace bucket name and KMS ARN in the above policy. Save the policy as something like CrossAccountPipelinePolicy.
- 创建用于跨帐户访问的角色,并附加上述策略以及AWSCodeCommitFullAccess策略。确保将可信实体作为帐户P的帐户ID。
在AWS CLI中
您无法在控制台中执行此操作,因此必须使用AWS CLI。这将是使AccountP中的CodePipeline承担Source步骤中的角色,并将其转储到S3存储桶中,以供所有后续步骤使用。
In AWS CLI You can't do this bit in the console so you have to use the AWS CLI. This will be to get your CodePipeline in AccountP to assume the role in the Source step and dump it in the S3 bucket for all your next steps to use.
aws codepipeline get-pipeline --name NameOfPipeline> pipe.json
修改管道json,使它看起来像这样,并替换您需要的位:
Modify the pipeline json so it looks a bit like this and replace the bits that you need to:
"pipeline": {
"name": "YOUR_PIPELINE_NAME",
"roleArn": "arn:aws:iam::AccountP_ID:role/ROLE_NAME_FOR_CODE_PIPELINE",
"artifactStore": {
"type": "S3",
"location": "YOUR_BUCKET_NAME",
"encryptionKey": {
"id": "arn:aws:kms:YOUR_KMS_KEY_ARN",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountC_ID:role/ROLE_NAME_WITH_CROSS_ACCOUNT_POLICY",
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "YOURREPOSITORYNAME"
},
"outputArtifacts": [
{
"name": "MyApp"
}
],
"inputArtifacts": []
}
]
},
使用 aws codepipeline update更新管道-pipeline --cli-input-json file://pipeline.json
通过运行p验证其是否有效ipeline。
Verify it works by running the pipeline.
这篇关于带有Codecommit目标源存储库的AWS Codepipeline来自另一个帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
