个人中心
gpt4 book ai didi

amazon-web-services - CloudFormation CodePipeline 模板无权执行 AssumeRole,为什么?

转载 作者:行者123 更新时间:2023-12-03 07:43:16 25 4
gpt4 key购买 nike

几天来,我一直无法弄清楚为什么一个 AWS 角色无权在另一个角色上执行 AssumeRole。在本例中,我有一个带有 AWS CodeCommit 的开发帐户和一个带有 CodePipeline 的工具帐户。我试图允许 CodePipeline(在工具中)访问 CodeCommit(在开发中),但我总是被告知工具中的角色无权这样做。

这是我在开发中创建角色的 CloudFormation 模板:

AWSTemplateFormatVersion: "2010-09-09"
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
  ToolsAccount:
    Description: AWS AccountNumber for tools account
    Type: Number
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: access-codecommit-in-dev
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /

  Policy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - codecommit:BatchGetRepositories
              - codecommit:Get*
              - codecommit:GitPull
              - codecommit:List*
              - codecommit:CancelUploadArchive
              - codecommit:UploadArchive
              - s3:*
            Resource: "*"
      Roles:
        - !Ref Role

以下是创建 CodePipeline 的 CloudFormation 模板:

Description: "Code pipeline to deploy frontend"

Parameters:
  DevAccount:
    Description: AWS AccountNumber for dev
    Type: Number
  TestAccount:
    Description: AWS AccountNumber for test
    Type: Number

Resources:
  BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: codebuild-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole

  BuildProjectPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: codebuild-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetBucketPolicy
              - s3:GetObject
              - s3:ListBucket
            Resource:
              - "bucketNameHere"
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:*
      Roles:
        - !Ref BuildProjectRole

  PipeLineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: codepipeline-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
            Action:
              - sts:AssumeRole

  PipelinePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: codepipeline-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - codepipeline:*
              - iam:ListRoles
              - cloudformation:Describe*
              - cloudFormation:List*
              - codecommit:List*
              - codecommit:Get*
              - codecommit:GitPull
              - codecommit:UploadArchive
              - codecommit:CancelUploadArchive
              - codebuild:BatchGetBuilds
              - codebuild:StartBuild
              - cloudformation:CreateStack
              - cloudformation:DeleteStack
              - cloudformation:DescribeStacks
              - cloudformation:UpdateStack
              - cloudformation:CreateChangeSet
              - cloudformation:DeleteChangeSet
              - cloudformation:DescribeChangeSet
              - cloudformation:ExecuteChangeSet
              - cloudformation:SetStackPolicy
              - cloudformation:ValidateTemplate
              - iam:PassRole
              - s3:ListAllMyBuckets
              - s3:GetBucketLocation
            Resource:
              - "*"
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetBucketPolicy
              - s3:GetObject
              - s3:ListBucket
            Resource:
              - "bucketName"
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Resource:
              - !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access

      Roles:
        - !Ref PipeLineRole

  FrontEndPipeline:
    Type: "AWS::CodePipeline::Pipeline"
    Properties:
      ArtifactStore:
        Type: "S3"
        Location: "bucketName"
      Name: "frontend-deploy"
      RoleArn: !GetAtt PipeLineRole.Arn
      Stages:
        - Name: "Code-Fetch"
          Actions:
            - Name: "stage-source"
              ActionTypeId:
                Category: Source
                Owner: AWS
                Provider: CodeCommit
                Version: 1
              OutputArtifacts:
                - Name: SourceCode
              Configuration:
                PollForSourceChanges: true
                BranchName: develop
                RepositoryName: "nameHere"
              RunOrder: 1
              RoleArn: !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access

        - Name: Build
          Actions:
            - Name: "Build-Source"
              ActionTypeId:
                Category: Build
                Owner: AWS
                Version: "1"
                Provider: CodeBuild
              InputArtifacts:
                - Name: SourceCode
              OutputArtifacts:
                - Name: DeployOutput
              Configuration:
                ProjectName: "CodeBuild"
              RunOrder: 1
        - Name: Deploy
          Actions:
            - Name: deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: "1"
                Provider: S3
              InputArtifacts:
                - Name: DeployOutput
              Configuration:
                BucketName: "bucketNameHere"
                Extract: true
                #RoleArn: !Sub arn:aws:iam::${TestAccount}:role/cloudformationdeployer-role

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: "CodeBuild"
      ServiceRole: !GetAtt BuildProjectRole.Arn
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Type: LINUX_CONTAINER
        Image: node:13
      Source:
        Type: CODEPIPELINE

什么可能会产生此错误:

arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{DevAcciybt}:role/access-codecommit-in-dev (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: (ID here))

最佳答案

有没有作用arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role 有权承担开发帐户中的角色,如下所示:

{"Sid": "承担跨帐户角色""效果": "允许","Actions": "sts:AssumeRole","Resource": "开发帐户角色的 ARN"}

其他尝试在 AWS 主体中传递 ARN arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role 而不是您在开发帐户中创建的角色的帐号

关于amazon-web-services - CloudFormation CodePipeline 模板无权执行 AssumeRole,为什么?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59966311/

25 4 0
文章推荐: aws-lambda - 如何让公共(public) APIG 访问 VPC 内的 lambda?
文章推荐: amazon-web-services - AWS CodePipeline 可以使用 aws-cli 等标签进行部署吗?
文章推荐: amazon-web-services - Beanstalk .ebextensions 错误 - 模板的资源 block 中 Unresolved 资源依赖性
文章推荐: java - 如何在Java中实现链表?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com