如何使用 CloudFormation 中的 CodeBuild 指定 GitHub 访问令牌
How do you specify GitHub access token with CodeBuild from CloudFormation
我一直在浪费大量时间尝试使用 CloudFormation 设置 GitHub 网络挂钩。此过程的文档毫无用处,例如:https://docs.aws.amazon.com/codebuild/latest/userguide/sample-access-tokens.html
$ aws codebuild import-source-credentials --generate-cli-skeleton
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
batch-delete-builds | batch-get-builds
batch-get-projects | create-project
create-webhook | delete-project
delete-webhook | invalidate-project-cache
list-builds | list-builds-for-project
list-curated-environment-images | list-projects
start-build | stop-build
update-project | help
我的问题是我无法找到一种方法来为带有 CloudFormation 的 CodeBuild 指定 GitHub 访问令牌。我只是想在创建拉取请求、更新等时为 github 存储库设置一个 Web 挂钩到 运行 一个简单的测试套件。如前所述,我发现了很多一半- https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-pull-request.html 等烘焙文档概述了如何使用 github 设置网络挂钩,但是,当我尝试按照这些指南进行操作时,我在 CloudFormation 中遇到了没有 GitHub 令牌的错误。其他文档说您需要从 UI 或 CLI 设置访问令牌,但 CLI 显然已损坏,为什么我在尝试设置云形成时要在管理控制台中创建 CodeBuild 资源?我在示例 CloudFormation 模板中看不到包含来自 GitHub 的个人访问令牌的位置,并且 Source > Auth 元素的文档是根据自身定义的。 "The resource value that applies to the specified authorization type" 没有告诉我这个 "resource" 是什么。这是我过去 8 小时在文档中寻找的 GitHub 个人访问令牌吗?我不知道。我确实尝试将我的个人访问令牌粘贴在该字段中,但我得到了相同的结果。 "No Access token found, please visit AWS CodeBuild console to connect to GitHub"
以下是我的 CloudFormation 模板:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CodeBuild Template",
"Parameters": {
},
"Resources": {
"CodeBuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Name": "TestingCodeBuild",
"Description": "A description about my project",
"ServiceRole": { "Fn::GetAtt": [ "CodeBuildServiceRole", "Arn" ] },
"Artifacts": {
"Type": "no_artifacts"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "ubuntu:bionic",
"EnvironmentVariables": [
{
"Name": "varName",
"Value": "varValue"
}
]
},
"Source": {
"Auth" : {
"Resource": "WTF IS THIS VALUE, Docs say a resource is a resource for use with the type."
"Type" : "OAUTH"
},
"BuildSpec" : "buildspec.yml",
"GitCloneDepth" : 1,
"ReportBuildStatus" : true,
"Location" : "https://github.com/user/repo.git",
"Type" : "GITHUB"
},
"Triggers": {
"FilterGroups": [
[
{
"Pattern" : "PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED",
"Type" : "EVENT"
}
]
],
"Webhook" : true
},
"TimeoutInMinutes": 10,
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
},
"CodeBuildServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "CodeBuildAccessPolicies",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"devicefarm:ListProjects",
"devicefarm:ListDevicePools",
"devicefarm:GetRun",
"devicefarm:GetUpload",
"devicefarm:CreateUpload",
"devicefarm:ScheduleRun"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"ecs:*"
],
"Resource": "*"
}
]
}
}
]
}
}
}
}
更新
因此,我通过手动创建一个名为 "TempProj" 的不相关的 CodeDeploy 项目并将其连接到 GitHub,设法让它连接到 GitHub。现在,当您在 Cloud Formation 中创建堆栈时,它可以自动连接到 GitHub。您甚至可以删除该实例,它会继续工作。
您可以使用 AWS Secrets Manager 安全地存储您的 GitHub OAuth 令牌,然后您可以在 CloudFormation 模板中使用动态引用来解析存储的值。
使用 Secrets Manager 创建机密时,一个机密包含 3 个部分:
- 秘密名称(此秘密的标签,例如 GitHub令牌)
- 密钥,例如OAuthToken
- 秘密值(您要存储的实际内容)
以上示例将在您的 CloudFormation 模板中引用为:
'{{resolve:secretsmanager:GitHubToken:SecretString:OAuthToken}}'
来自 CodePipeline 的 CloudFormation 模板的更完整的片段如下所示:git 在每次 git 推送到您的存储库的指定分支后将管道触发到 运行:
...
MyPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Stages:
-
Name: GetSource
Actions:
-
Name: GetMyGithubRepoSourceOnPush
ActionTypeId:
Category: Source
Owner: ThirdParty
Version: 1
Provider: GitHub
OutputArtifacts:
- Name: NameOfArtifactForNextStages
Configuration:
Owner: MyGithubUsername
Repo: MyGithubRepoName
Branch: MyRepoBranchName
OAuthToken: '{{resolve:secretsmanager:NameOfSecret:SecretString:KeyOfSecret}}'
希望对您有所帮助。
AWS::CodeBuild::SourceCredential is a new AWS resource, appeared in CloudFormation Resource Specification v5.1.0, that lets you connect CodeBuild with Github using Github's Personal Access Token (if you do not know how to create it, check out this quick guide).
快速示例:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
# This resource allows to connect CodeBuild with Github using Personal Access Token.
CodeBuildSourceCredential:
Type: AWS::CodeBuild::SourceCredential
Properties:
AuthType: PERSONAL_ACCESS_TOKEN
ServerType: GITHUB
Token: "<YOUR-PERSONAL-GITHUB-ACCESS-TOKEN>"
# CodeBuild resource.
CodeBuild:
Type: AWS::CodeBuild::Project
Properties:
Source:
Auth:
Resource: !Ref CodeBuildSourceCredential
Type: OAUTH
提示:将个人访问令牌存储在 AWS Secrets Manager 中并获取它 Using Dynamic References to Specify Template Values。
我一直在浪费大量时间尝试使用 CloudFormation 设置 GitHub 网络挂钩。此过程的文档毫无用处,例如:https://docs.aws.amazon.com/codebuild/latest/userguide/sample-access-tokens.html
$ aws codebuild import-source-credentials --generate-cli-skeleton
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
batch-delete-builds | batch-get-builds
batch-get-projects | create-project
create-webhook | delete-project
delete-webhook | invalidate-project-cache
list-builds | list-builds-for-project
list-curated-environment-images | list-projects
start-build | stop-build
update-project | help
我的问题是我无法找到一种方法来为带有 CloudFormation 的 CodeBuild 指定 GitHub 访问令牌。我只是想在创建拉取请求、更新等时为 github 存储库设置一个 Web 挂钩到 运行 一个简单的测试套件。如前所述,我发现了很多一半- https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-pull-request.html 等烘焙文档概述了如何使用 github 设置网络挂钩,但是,当我尝试按照这些指南进行操作时,我在 CloudFormation 中遇到了没有 GitHub 令牌的错误。其他文档说您需要从 UI 或 CLI 设置访问令牌,但 CLI 显然已损坏,为什么我在尝试设置云形成时要在管理控制台中创建 CodeBuild 资源?我在示例 CloudFormation 模板中看不到包含来自 GitHub 的个人访问令牌的位置,并且 Source > Auth 元素的文档是根据自身定义的。 "The resource value that applies to the specified authorization type" 没有告诉我这个 "resource" 是什么。这是我过去 8 小时在文档中寻找的 GitHub 个人访问令牌吗?我不知道。我确实尝试将我的个人访问令牌粘贴在该字段中,但我得到了相同的结果。 "No Access token found, please visit AWS CodeBuild console to connect to GitHub"
以下是我的 CloudFormation 模板:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CodeBuild Template",
"Parameters": {
},
"Resources": {
"CodeBuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Name": "TestingCodeBuild",
"Description": "A description about my project",
"ServiceRole": { "Fn::GetAtt": [ "CodeBuildServiceRole", "Arn" ] },
"Artifacts": {
"Type": "no_artifacts"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "ubuntu:bionic",
"EnvironmentVariables": [
{
"Name": "varName",
"Value": "varValue"
}
]
},
"Source": {
"Auth" : {
"Resource": "WTF IS THIS VALUE, Docs say a resource is a resource for use with the type."
"Type" : "OAUTH"
},
"BuildSpec" : "buildspec.yml",
"GitCloneDepth" : 1,
"ReportBuildStatus" : true,
"Location" : "https://github.com/user/repo.git",
"Type" : "GITHUB"
},
"Triggers": {
"FilterGroups": [
[
{
"Pattern" : "PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED",
"Type" : "EVENT"
}
]
],
"Webhook" : true
},
"TimeoutInMinutes": 10,
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
},
"CodeBuildServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "CodeBuildAccessPolicies",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:CancelUploadArchive",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus",
"codecommit:UploadArchive"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"devicefarm:ListProjects",
"devicefarm:ListDevicePools",
"devicefarm:GetRun",
"devicefarm:GetUpload",
"devicefarm:CreateUpload",
"devicefarm:ScheduleRun"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"ecs:*"
],
"Resource": "*"
}
]
}
}
]
}
}
}
}
更新 因此,我通过手动创建一个名为 "TempProj" 的不相关的 CodeDeploy 项目并将其连接到 GitHub,设法让它连接到 GitHub。现在,当您在 Cloud Formation 中创建堆栈时,它可以自动连接到 GitHub。您甚至可以删除该实例,它会继续工作。
您可以使用 AWS Secrets Manager 安全地存储您的 GitHub OAuth 令牌,然后您可以在 CloudFormation 模板中使用动态引用来解析存储的值。
使用 Secrets Manager 创建机密时,一个机密包含 3 个部分:
- 秘密名称(此秘密的标签,例如 GitHub令牌)
- 密钥,例如OAuthToken
- 秘密值(您要存储的实际内容)
以上示例将在您的 CloudFormation 模板中引用为:
'{{resolve:secretsmanager:GitHubToken:SecretString:OAuthToken}}'
来自 CodePipeline 的 CloudFormation 模板的更完整的片段如下所示:git 在每次 git 推送到您的存储库的指定分支后将管道触发到 运行:
...
MyPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Stages:
-
Name: GetSource
Actions:
-
Name: GetMyGithubRepoSourceOnPush
ActionTypeId:
Category: Source
Owner: ThirdParty
Version: 1
Provider: GitHub
OutputArtifacts:
- Name: NameOfArtifactForNextStages
Configuration:
Owner: MyGithubUsername
Repo: MyGithubRepoName
Branch: MyRepoBranchName
OAuthToken: '{{resolve:secretsmanager:NameOfSecret:SecretString:KeyOfSecret}}'
希望对您有所帮助。
AWS::CodeBuild::SourceCredential is a new AWS resource, appeared in CloudFormation Resource Specification v5.1.0, that lets you connect CodeBuild with Github using Github's Personal Access Token (if you do not know how to create it, check out this quick guide).
快速示例:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
# This resource allows to connect CodeBuild with Github using Personal Access Token.
CodeBuildSourceCredential:
Type: AWS::CodeBuild::SourceCredential
Properties:
AuthType: PERSONAL_ACCESS_TOKEN
ServerType: GITHUB
Token: "<YOUR-PERSONAL-GITHUB-ACCESS-TOKEN>"
# CodeBuild resource.
CodeBuild:
Type: AWS::CodeBuild::Project
Properties:
Source:
Auth:
Resource: !Ref CodeBuildSourceCredential
Type: OAUTH
提示:将个人访问令牌存储在 AWS Secrets Manager 中并获取它 Using Dynamic References to Specify Template Values。