使用CDK Deploy需要哪些IAM权限? [英] What IAM permissions are needed to use CDK Deploy?
问题描述
我的团队有一个在执行IAM角色下运行的管道。我们希望通过CloudFormation或CDK将代码部署到AWS。
My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.
过去,我们会在创建/更新CloudFormation堆栈之前,先将一些工件上传到S3存储桶中。执行IAM角色。
In the past, we would upload some artifacts to S3 buckets before creating/updating our CloudFormation stack, using the execution IAM role.
我们最近改用了CDK,并尝试使用CDK Deploy尽可能多地实现自动化,但遇到了很多权限项目我们需要添加之前没有的内容(例如cloudformation:GetTemplate)。
We recently switched to the CDK, and are trying to get as much automated with using CDK Deploy as possible, but are running into a lot of permission items we need to add which we didn't have prior (for instance, cloudformation:GetTemplate).
我们不想只授予*(我们希望至少遵循权限),但找不到任何明确的文档列表。
We don't want to just grant * (we want to follow least privilege) but I can't find any clear documented list.
CDK Deploy依赖于标准权限列表吗?除了标准列表之外,还有什么不错的东西吗?
Is there a standard list of permissions that CDK Deploy relies on? Are there any "nice to have's" beyond a standard list?
推荐答案
由于我在任何地方都找不到文档
Since I couldn't find any documentation anywhere I had to do some trial and error to get this to work.
除了需要创建在堆栈中定义的实际资源所需的权限外,还需要提供以下内容:
Apart from the permissions you need to create the actual resources you define in your stack, you need to give the following:
cloudformation:CreateChangeSet
cloudformation:DescribeChangeSet
cloudformation:ExecuteChangeSet
cloudformation:DescribeStackEvents
cloudformation:DeleteChangeSet
要创建的堆栈ARN以及引导程序堆栈:
To the stack ARN you are creating, as well as the bootstrap stack:
arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*
您还需要对Boostrap添加的存储桶具有s3权限(否则,您会感到恐惧禁止:空
错误):
You also need s3 permissions to the bucket that the boostrap added (otherwise you get that dreaded Forbidden: null
error):
s3:*Object
s3:ListBucket
至
arn:aws:s3:::cdktoolkit-stagingbucket-*
这篇关于使用CDK Deploy需要哪些IAM权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!