CodePipeline ECS Blue/Green 跨账户部署失败并出现 PermissionError
CodePipeline ECS Blue/Green Deployment cross account fails with PermissionError
我正在尝试使用 ECS blue/green 部署设置 CodePipeline,其中部署在不同的 AWS 账户中。
我一直在使用 ECS Blue/Green 和 CodePipeline 跨账户部署的两个指南。 CodePipeline 连同其 KMS 密钥、S3 工件存储桶和 ECR 存储库位于账户 A 中。 ECS 集群位于具有 CodeDeploy 设置的帐户 B 中。
ECR、KMS 密钥和 S3 存储桶具有跨帐户权限(这些在错误时会给出不同的错误)。集群启动运行,CodeDeploy 在账户 B 内调用时正常工作。
已为 CodePipeline 创建账户 B 中的角色,并已授予账户 A 承担该角色的权限。此角色当前具有 AWSCodeDeployRoleForECS 策略(我打算在它起作用后减少它)
CodePipeline 失败并显示无用消息
"code": "PermissionError",
"message": "The provided role does not have sufficient permissions to access CodeDeploy"
}```
The codepipeline role does have permission to access codedeploy as it's in the canned AWS policy. I can only assume there's some missing permission but I cannot find out what from this message.
我通过CloudTrail 追踪找到了答案。 CodePipeline 部署角色缺少两个我找不到记录的权限,它们是 ECS 容器角色的 ecs:RegisterTaskDefinition 和 iam:PassRole。 CodeDeploy 在部署期间承担了一个不同的角色,它也需要这些权限,但看起来 CodePipeline 需要它们来启动部署。
我正在处理的文档有一个 CodeDeploy 示例 cross-account,但这是针对 EC2 而不是 ECS 的 CodeDeploy。
我对 CodePipeline 在账户 B 中承担的角色的最终权限如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:GetApplication",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket/*",
"Effect": "Allow"
},
{
"Action": [ "s3:ListBucket"],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"deployment_kms_key_arn"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "ecs_container_role_arn"
}
]
}
我将把它减少到最低要求。
可能在这里有所帮助,因为有相同的 issue/error:
使用 Cloud-formation,我在帐户 a 中有一个管道,在帐户 b (TestingAccount) 中有一个 ecs bluegreen 操作:
- Name: !Sub BlueGreenDeploy
Actions:
- Name: BlueGreenDeploy
InputArtifacts:
# - Name: PrepareCodeDeployOutput
- Name: !Ref SourceArtifactName
Region: !Ref DeployRegion1
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: CodeDeployToECS
RoleArn: !Sub arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole
Configuration:
AppSpecTemplateArtifact: !Ref SourceArtifactName
AppSpecTemplatePath: appspec.json
ApplicationName: ronantest1
DeploymentGroupName: ronantest1
TaskDefinitionTemplateArtifact: !Ref SourceArtifactName
TaskDefinitionTemplatePath: taskdef.json
Image1ArtifactName: !Ref SourceArtifactName
Image1ContainerName: "IMAGE1_NAME"
RunOrder: 4
在我尝试部署的任务定义中,列出了以下角色:
"taskRoleArn"
"executionRoleArn"
管道在目标帐户中承担的角色,即:
arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole
它需要能够传递任务定义中列出的这两个角色。
希望有道理并有所帮助。 AWS 并没有通过他们的文档使这些东西变得简单。
我正在尝试使用 ECS blue/green 部署设置 CodePipeline,其中部署在不同的 AWS 账户中。
我一直在使用 ECS Blue/Green 和 CodePipeline 跨账户部署的两个指南。 CodePipeline 连同其 KMS 密钥、S3 工件存储桶和 ECR 存储库位于账户 A 中。 ECS 集群位于具有 CodeDeploy 设置的帐户 B 中。
ECR、KMS 密钥和 S3 存储桶具有跨帐户权限(这些在错误时会给出不同的错误)。集群启动运行,CodeDeploy 在账户 B 内调用时正常工作。
已为 CodePipeline 创建账户 B 中的角色,并已授予账户 A 承担该角色的权限。此角色当前具有 AWSCodeDeployRoleForECS 策略(我打算在它起作用后减少它)
CodePipeline 失败并显示无用消息
"code": "PermissionError",
"message": "The provided role does not have sufficient permissions to access CodeDeploy"
}```
The codepipeline role does have permission to access codedeploy as it's in the canned AWS policy. I can only assume there's some missing permission but I cannot find out what from this message.
我通过CloudTrail 追踪找到了答案。 CodePipeline 部署角色缺少两个我找不到记录的权限,它们是 ECS 容器角色的 ecs:RegisterTaskDefinition 和 iam:PassRole。 CodeDeploy 在部署期间承担了一个不同的角色,它也需要这些权限,但看起来 CodePipeline 需要它们来启动部署。
我正在处理的文档有一个 CodeDeploy 示例 cross-account,但这是针对 EC2 而不是 ECS 的 CodeDeploy。
我对 CodePipeline 在账户 B 中承担的角色的最终权限如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:GetApplication",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket/*",
"Effect": "Allow"
},
{
"Action": [ "s3:ListBucket"],
"Resource": "arn:aws:s3:::deployment_intermediate_bucket",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"deployment_kms_key_arn"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "ecs_container_role_arn"
}
]
}
我将把它减少到最低要求。
可能在这里有所帮助,因为有相同的 issue/error:
使用 Cloud-formation,我在帐户 a 中有一个管道,在帐户 b (TestingAccount) 中有一个 ecs bluegreen 操作:
- Name: !Sub BlueGreenDeploy
Actions:
- Name: BlueGreenDeploy
InputArtifacts:
# - Name: PrepareCodeDeployOutput
- Name: !Ref SourceArtifactName
Region: !Ref DeployRegion1
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: CodeDeployToECS
RoleArn: !Sub arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole
Configuration:
AppSpecTemplateArtifact: !Ref SourceArtifactName
AppSpecTemplatePath: appspec.json
ApplicationName: ronantest1
DeploymentGroupName: ronantest1
TaskDefinitionTemplateArtifact: !Ref SourceArtifactName
TaskDefinitionTemplatePath: taskdef.json
Image1ArtifactName: !Ref SourceArtifactName
Image1ContainerName: "IMAGE1_NAME"
RunOrder: 4
在我尝试部署的任务定义中,列出了以下角色:
"taskRoleArn"
"executionRoleArn"
管道在目标帐户中承担的角色,即:
arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole
它需要能够传递任务定义中列出的这两个角色。
希望有道理并有所帮助。 AWS 并没有通过他们的文档使这些东西变得简单。