AWS CodePipeline使用什么CIDR? [英] What is the CIDR used by AWS CodePipeline?
问题描述
我正在尝试使用GitHub的允许列表功能,该功能可以将组织存储库的访问权限限制为仅允许列表中的IP.
I am trying to use GitHub's allow-list feature, where access to an organization's repositories can be restricted to only IPs in the allow-list.
我在 eu-west-2 (伦敦)中有一个CodePipeline,它被配置为具有从GitHub读取的源操作.为了将其添加到允许列表,我需要CodePipeline用于执行源克隆的IP CIDR.我已经 AWS IP列表,并将 eu-west-2 中的所有 CodeBuild 和 Amazon 服务IP添加到允许列表.但是,当我执行管道构建时,由于无法访问存储库而失败.
I have a CodePipeline in eu-west-2 (London) which is configured to have a source action of reading from GitHub. I need the IP CIDR that is used by CodePipeline to perform the source clone, in order to add it to the allow-list. I have got the AWS IP list and added all of the CodeBuild and Amazon service IPs in eu-west-2 to the allow-list. However, when I execute a build of the pipeline, it fails due to an inability to access the repository.
但是,当我在允许列表中添加 0.0.0.0/0 时,构建就可以了.这似乎表明CodePipeline正在使用未发布的IP地址范围,或者正在以某种方式从另一个区域访问GitHub.
However, when I add 0.0.0.0/0 to the allow-list, the build works. This would seem to indicate that CodePipeline is using either an unpublished range of IP addresses, or is somehow accessing GitHub from another region.
我尝试将CodePipeline配置为使用S3作为源并在存储桶上设置日志记录,以尝试捕获CodePipeline使用的IP地址,但是捕获的IP是172.16/12空间中的内部IP地址,即它们不是CodePipeline使用的外部IP地址.
I have tried configuring CodePipeline to use S3 as a source and set logging on the bucket, in an attempt to capture the IP addresses being used by CodePipeline, but the IPs captured are internal IP addresses in the 172.16/12 space, i.e. they are not the external IP addresses used by CodePipeline.
CodePipeline使用什么IP地址?
What are the IP addresses used by CodePipeline?
推荐答案
当前没有可靠的方法来枚举CodePipeline使用的IP.
There is not currently a reliable way to enumerate IPs used by CodePipeline.
但是,请注意CodePipeline是公共云服务.如果您允许列出所有CodePipeline,则实际上可以允许列出整个世界,因为任何人都可以注册并使用CodePipeline.
However, please also note that CodePipeline is a public cloud service. If you allow-list all of CodePipeline, you'd effectively be allow-listing the whole world because anyone can sign up for and use CodePipeline.
I would focus on other techniques to harden your security, such as rotating access tokens regularly. IP allow-listing often doesn't provide effective security in a cloud world ;)
这篇关于AWS CodePipeline使用什么CIDR?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
