我可以使用CloudFormation StackSets部署到自己帐户中的多个区域吗? [英] Can I use CloudFormation StackSets to deploy to multiple regions in my own account?
问题描述
我有一个简单的CloudFormation堆栈,我想将其部署到我帐户中的所有区域,因此不必手动进入每个区域来部署该堆栈,也不必创建使用CLI进行此操作的脚本。
我尝试使用StackSets进行此操作:我表示要部署到的帐户是我自己的帐户号。然后我选择了所有区域,并尝试进行部署。
不幸的是,它没有用,并说:
< blockquote>
帐户1234567867867应该具有与角色'AWSCloudFormationStackSetAdministrationRole'具有信任关系
的
'AWSCloudFormationStackSetExecutionRole'角色。
因此,我调查了一下并找到了本教程,了解如何解决该问题:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html
但是,在执行该过程时,它不允许我执行第二步,即创建一个信任管理员帐户的角色...我我猜这是因为管理员帐户就是我的帐户,所以建立信任关系不起作用,但是我不确定。这是我得到的错误:
AWSCloudFormationStackSetExecutionRole已经存在
那有可能吗?还是我应该只创建一个使用CLI的脚本在我帐户内的所有区域之间部署正常的CloudFormation堆栈?
答案是肯定的,您可以使用StackSets在您的一个单一帐户内的多个区域中进行部署。
您仍然需要按照本文所述创建主角色/子角色。我链接了我的原始问题。在这种特殊情况下,您基本上是在说自己相信自己会扮演自己的角色。但是一旦完成,您应该能够设置一个StackSet,指定您自己的帐号作为您要在其中部署StackSet的帐户,然后选择所需的所有区域。
我之前遇到问题的原因是,显然有人已经将子角色添加到我的帐户中,因此当我尝试自己创建子角色时,该角色已经存在(导致错误)。假设没有人搞乱您的帐户,您可能不会遇到这种情况。但是,如果您确实遇到了这种情况(也许您所在的公司中有很多人都在像我一样使用同一组帐户),那么您要做的就是在IAM中找到AWSCloudFormationStackSetExecutionRole角色,然后编辑Trust关系,并向信任添加另一个信任关系:
arn:aws:iam ::<您的帐号>:role / AWSCloudFormationStackSetAdministrationRole
I have a simple CloudFormation stack that I want to deploy to all regions in my account so I don't have to manually go into each region to deploy the stack, or create a script that does that with the CLI.
I tried doing this with StackSets: I indicated that the account I want to deploy to is my own account number. Then I selected all the regions, and tried to deploy.
Unfortunately, it didn't work, saying:
Account 1234567867867 should have 'AWSCloudFormationStackSetExecutionRole' role with trust relationship to Role 'AWSCloudFormationStackSetAdministrationRole'.
So I looked into that and came across this tutorial on how to address that issue:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html
However, in going through that process, it wouldn't let me do the second step, where I create a role that trusts the administrator account... I'm guessing this is because the administrator account IS my account, so setting up the trust relationship doesn't work, but I'm not exactly sure. Here's the error I get:
AWSCloudFormationStackSetExecutionRole already exists
So is this even possible? Or should I just create a script that uses the CLI to deploy a normal CloudFormation stack across all the regions within my account?
The answer is yes, you can use StackSets to deploy across multiple regions within YOUR ONE SINGLE ACCOUNT.
You still need to create the master/child roles as described in the article I linked in my original question. In this special case, you're basically saying you trust yourself to use your own role. But once you do that, you should be able to set up a StackSet, specify your own account number as the account into which you want to deploy the StackSet, and choose all the regions you want.
The reason I was running into a problem earlier was because apparently someone had already added the child role to my account, so when I tried to create it myself, it was already there (causing the error). You probably won't run into that, assuming nobody's been messing with your account. But if you do find you run into that (maybe you're in a company with lots of people working on the same sets of accounts like I am), then all you need to do is find the AWSCloudFormationStackSetExecutionRole role in IAM, edit the Trust Relationships, and add another trust relationship to trust:
arn:aws:iam::<your account number>:role/AWSCloudFormationStackSetAdministrationRole
这篇关于我可以使用CloudFormation StackSets部署到自己帐户中的多个区域吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
