簡述:
A 賬号codepipeline 部署業務到B賬号上的ECS Fargate
下面的資源沒有的話請手動建立一下,預設建立即可
A賬号資源:
1、codepipeline project
2、KMS KEY
3、S3 (臨時共享KMS用)
B賬号資源:
1、ECS Fargate
步驟:
1、B賬号建立跨賬号角色
XXXXXXXX為A賬号的數字ID
codepipeline-1234567890為A賬号的存儲桶
"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625" 為A賬号的KMS KEY ARN
建立B賬号的跨賬号角色(CrossAccount_Role)
crossAccout_role.tf
resource "aws_iam_role" "crossrole" {
name = "CrossAccount_Role"
assume_role_policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{A賬号的數字ID}}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
})
inline_policy {
name = "cross_role_inline_policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*",
"ecs:*",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::codepipeline-1234567890/*",
"arn:aws:s3:::codepipeline-1234567890"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:{{A賬号的數字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625"
]
}
]
})
}
}
terraform apply .
2、給A賬号的S3增加CrossAccount_Role權限:
Amazon S3/Buckets/codepipeline-1234567890
選擇permissions菜單,
在
Bucket policy菜單裡輸入下面的權限規則儲存
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{{B賬号的數字ID}}:root",
]
},
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::codepipeline-1234567890/*"
}
]
}
3、給A賬号的KMS KEY增加跨賬号權限:
打開KMS 選找到對應的KEY頁面,沒有KEY則建立一個,在key Policy下的
Other AWS accounts ,點選下面的菜單add other AWS accounts
輸入B的數字ID 儲存:
- arn:aws:iam::{{B賬号的數字ID}}:root
4、導出codepipeline資訊:
aws codepipeline get-pipeline --name ecs-pipeline >pipeline.json
vim pipeline.js
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 3,
"roleArn": "arn:aws:iam::{{B賬号的資料ID}}:role/CrossAccount_Role",
"configuration": {
"ClusterName": "fargate-cluster",
"DeploymentTimeout": "30",
"FileName": "imagedefinitions.json",
"ServiceName": "webservice"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "us-east-1",
"namespace": "DeployVariables"
}
]
}
主要是增加了執行角色:
"roleArn": "arn:aws:iam::{{B賬号的資料ID}}:role/CrossAccount_Role"
5、更新一下codepipeline
aws codepipeline update-pipeline --cli-input-json file://pipeline.json
至此,Pipeline 跨賬号部署完畢,點選測試
注意:ECS的task-execution角色需要有讀取KMS權限及執行權限