6
AWS CodePipeLine 跨账号部署ECS
source link: https://blog.51cto.com/slapping/5558774
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
AWS CodePipeLine 跨账号部署ECS
原创A 账号codepipeline 部署业务到B账号上的ECS Fargate
下面的资源没有的话请手动创建一下,默认创建即可
A账号资源:
1、codepipeline project
2、KMS KEY
3、S3 (临时共享KMS用)
B账号资源:
1、ECS Fargate
1、B账号创建跨账号角色
XXXXXXXX为A账号的数字ID
codepipeline-1234567890为A账号的存储桶
"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625" 为A账号的KMS KEY ARN
创建B账号的跨账号角色(CrossAccount_Role)
crossAccout_role.tf
resource "aws_iam_role" "crossrole" {
name = "CrossAccount_Role"
assume_role_policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{A账号的数字ID}}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
})
inline_policy {
name = "cross_role_inline_policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*",
"ecs:*",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::codepipeline-1234567890/*",
"arn:aws:s3:::codepipeline-1234567890"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:{{A账号的数字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625"
]
}
]
})
}
}
name = "CrossAccount_Role"
assume_role_policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{A账号的数字ID}}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
})
inline_policy {
name = "cross_role_inline_policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*",
"ecs:*",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::codepipeline-1234567890/*",
"arn:aws:s3:::codepipeline-1234567890"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:{{A账号的数字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625"
]
}
]
})
}
}
terraform apply .
2、给A账号的S3增加CrossAccount_Role权限:
Amazon S3/Buckets/codepipeline-1234567890
选择permissions菜单,
Bucket policy菜单里输入下面的权限规则保存
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{{B账号的数字ID}}:root",
]
},
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::codepipeline-1234567890/*"
}
]
}
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{{B账号的数字ID}}:root",
]
},
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::codepipeline-1234567890/*"
}
]
}
3、给A账号的KMS KEY增加跨账号权限:
打开KMS 选找到对应的KEY页面,没有KEY则创建一个,在key Policy下的
Other AWS accounts ,点击下面的菜单add other AWS accounts
输入B的数字ID 保存:
- arn:aws:iam::{{B账号的数字ID}}:root
4、导出codepipeline信息:
aws codepipeline get-pipeline --name ecs-pipeline >pipeline.json
vim pipeline.js
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 3,
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role",
"configuration": {
"ClusterName": "fargate-cluster",
"DeploymentTimeout": "30",
"FileName": "imagedefinitions.json",
"ServiceName": "webservice"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "us-east-1",
"namespace": "DeployVariables"
}
]
}
主要是增加了执行角色:
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role"
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 3,
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role",
"configuration": {
"ClusterName": "fargate-cluster",
"DeploymentTimeout": "30",
"FileName": "imagedefinitions.json",
"ServiceName": "webservice"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "us-east-1",
"namespace": "DeployVariables"
}
]
}
主要是增加了执行角色:
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role"
5、更新一下codepipeline
aws codepipeline update-pipeline --cli-input-json file://pipeline.json
至此,Pipeline 跨账号部署完毕,点击测试
注意:ECS的task-execution角色需要有读取KMS权限及执行权限
- 打赏
- 赞
- 收藏
- 评论
- 分享
- 举报
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK