I am trying to set up a CDK Codepipeline for updating the cdk project itself, with the project being under one stack, and having multiple nested stacks in the constructor. The pipeline is in a second stack with the service stack passed in to access the name. I am using CloudFormationCreateUpdateStackAction to update the stack after I have run cdk synth and put the output in an artifact using codebuild.
我正在尝试设置一个CDK代码行来更新CDK项目本身,该项目位于一个堆栈之下,并且在构造函数中有多个嵌套堆栈。管道位于第二个堆栈中,传入服务堆栈以访问该名称。在运行cdk synth并使用codebuild将输出放入构件中之后,我使用CloudFormationCreateUpdateStackAction更新堆栈。
pipeline.addStage({
stageName: 'ServiceUpdate',
actions: [
new CloudFormationCreateUpdateStackAction({
actionName: 'Service_Update',
stackName: props.serviceStack.stackName,
templatePath: cdkPipelineBuildOutput.atPath(
`${props.serviceStack.stackName}.template.json`
),
adminPermissions: true,
}),
],
});
This is able to update the stack if it is empty, or has some resources directly in it, however if there is a nested stack inside the service stack I get
如果堆栈是空的,或者直接在其中有一些资源,这是能够更新堆栈的,但是,如果我得到的服务堆栈中有一个嵌套的堆栈
S3: AccessDenied
for each of the nested stacks inside of the stack.
用于堆栈内部的每个嵌套堆栈。
If I run "cdk deploy ExampleServiceStackName" from my terminal with admin credentials the nested stacks are created/updated correctly, leading me to believe that there is something wrong with the IAM roles of codebuild or codepipeline here. But I don't know where to start as I have set adminPermissions to true in the CloudFormationCreateUpdateStackAction.
如果我使用管理员凭据从我的终端运行“cdk Deploy ExampleServiceStackName”,则嵌套堆栈的创建/更新是正确的,这使我相信这里的代码构建或代码管道的IAM角色有问题。但是我不知道从哪里开始,因为我已经在CloudFormationCreateUpdateStackAction中将adminPermises设置为True。
I also manually set admin permissions by calling addToDeploymentRolePolicy on the CloudFormationCreateUpdateStackAction, and CodePipeline, passing
我还通过在CloudFormationCreateUpdateStackAction和CodePipeline上调用addToDeploymentRolePolicy来手动设置管理员权限,传递
const policy = new PolicyStatement({
resources: ['*'],
actions: ['*'],
effect: Effect.ALLOW,
});
with no change in the access denied error.
而拒绝访问错误没有变化。
I also make sure to specify "cdk synth --all" in my ci script in an attempt to ensure the nested stacks templates will be synthesized.
我还确保在ci脚本中指定“cdk synth--all”,以确保将合成嵌套的堆栈模板。
Other stack overflow questions I have read:
我读过的其他堆栈溢出问题:
S3 error: Access Denied when deploying CFN template with Nested Stacks
S3错误:使用嵌套堆栈部署CFN模板时访问被拒绝
This Q was related to a typo in the manually written cloud formation template. I have looked in the generated templates, and the nested stack name is correctly generated and referenced by cdk. cdk deploy from local terminal also works, further leading me to believe there is no typo problem. I also pass the service stack as a prop and call the stackName property to avoid a typo in accessing the template.
这个问题与手动编写的云形成模板中的一个打字错误有关。我查看了生成的模板,cdk正确地生成并引用了嵌套的堆栈名称。从本地终端部署CDK也有效,进一步让我相信没有打字问题。我还将服务堆栈作为道具传递,并调用stackName属性以避免在访问模板时出现输入错误。
If you spot a way there could be a problem accessing due to a typo, please let me know as that would still be the best-case scenario.
如果您发现由于打字错误导致访问可能出现问题,请让我知道,因为这仍然是最好的情况。
Codepipeline S3 Bucket access denied in Codebuild
CodeBuild中拒绝访问Coadeipeline S3存储桶
This Q says it was solved by giving permissions to the CMK on the S3 bucket. I have used a code pipeline Artifact for source of the "cdk synth -> cloudformation templates". I'm not aware of any KMS CMK being used in this setup. If there is a way I can specify decryption abilities on the artifact maybe that would help.
此Q表示,通过授予S3存储桶上的CMK权限即可解决此问题。我使用了代码管道构件作为“cdk synth->CloudForformationTemplates”的源代码。我不知道在此设置中使用了任何KMS CMK。如果有一种方法可以指定神器的解密能力,也许会有帮助。
If there is a way to get more verbose error messages about the s3: Access Denied status that would also be appreciated. It doesn't even share what s3 bucket is being denied, I'm just having to assume.
如果有办法获得有关S3:拒绝访问状态的更多详细错误消息,也将不胜感激。它甚至没有分享S3存储桶被拒绝的内容,我只是不得不假设。
Thanks for any suggestions.
谢谢你的建议。
更多回答
You can find more details about access denied errors by enabling CloudTrail logs. These will include specific operation that failed, as well as principal and resource involved
您可以通过启用CloudTrail日志找到有关拒绝访问错误的更多详细信息。其中包括失败的特定操作以及涉及的主体和资源
Hey I had this same issue and figured out the issue (if you or anyone is still having it).
嘿,我也有同样的问题,我想出了问题(如果你或任何人仍然有这个问题)。
Basically, when you do a cdk synth
with nested stacks, the parent stack, once its synthesized, will have references to S3 objects (usually within the cdk-assets bucket) that contain the child stacks. The problem however, at least with the pipeline is these assets are never uploaded to S3.
基本上,当您使用嵌套堆栈进行cdk合成时,父堆栈一旦合成,就会有对包含子堆栈的S3对象(通常在cdk-sets存储桶中)的引用。然而,问题是,至少在管道中,这些资产从未上传到S3。
This means when the pipeline runs, it gets an s3:AccessDenied
error because the child stacks the parent stack references do not exist in that cdk-assets bucket.
这意味着当管道运行时,它会收到一个s3:AccessDended错误,因为子堆栈父堆栈引用不存在于该cdk-sets存储桶中。
The way I got around this is to change my approach and instead of using the CloudFormationCreateUpdateStackAction, I instead use a CodeBuild step that executes CLI commands to deploy the cdk.
我解决这个问题的方法是改变我的方法,而不是使用CloudFormationCreateUpdateStackAction,而是使用执行CLI命令来部署CDK的CodeBuild步骤。
更多回答
我是一名优秀的程序员,十分优秀!