aws 管道角色无权对跨账户角色执行 AssumeRole

Question

我正在尝试使用云形成堆栈模板创建代码管道资源，该管道是否用于跨账户中的 lamda 部署。

我在通过云形成堆栈创建代码管道时遇到以下错误

arn:aws:iam::{AccountA}:role/testclient-testapp-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{AccountB}:role/testclient-testapp-cross-account-role (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException)

我已经附加了云形成模板中使用的角色、策略和资源。

我不清楚哪里错了，请哪位大神指点一下。

账户 A

**CodePipelineRole**:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${ClientName}-${ProjectName}-codepipeline-role"
      Path: /
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [codepipeline.amazonaws.com]
          Action: sts:AssumeRole

  **CodePipelinePolicy**:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CodePipelinePolicy
      PolicyDocument:
        Statement:
        - Action: ["s3:*"]
          Resource: "*"
          Effect: Allow
        - Action: ["codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus", "codecommit:UploadArchive"]
          Resource: !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${ClientName}-${ProjectName}*"
          Effect: Allow
        - Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"]
          Resource: !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ClientName}-${ProjectName}*"
          Effect: Allow
        - Action: ["cloudformation:DescribeStacks", "cloudformation:DescribeChangeSet", "cloudformation:CreateChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet"]
          Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ClientName}-${ProjectName}-${FunctionName}*/*"
          Effect: Allow
        - Action: ["iam:PassRole", "iam:ListRoles"]
          Resource: "*"
          Effect: Allow
        - Action: ["sts:AssumeRole"]
          Resource:
            - !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-*"
          Effect: Allow
        - Action: ["kms:Decrypt", "kms:Encrypt"]
          Resource: !GetAtt KMSKey.Arn
          Effect: Allow
      Roles: [!Ref CodePipelineRole]

  **KMSKey**:
    Type: AWS::KMS::Key
    Description: Used by Assumed Roles in Dev/Stage/Prod accounts to Encrypt/Decrypt code
    Properties:
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Ref AWS::StackName
        Statement:
          - Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: ["kms:*"]
            Resource: "*"
          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${DevAccountId}:root"
                - !GetAtt CodePipelineRole.Arn
                - !GetAtt CodeBuildRole.Arn
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
  **KMSAlias**:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub alias/${ClientName}-${ProjectName}-codepipeline-crossaccounts
      TargetKeyId: !Ref KMSKey


**CodePipeline**:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-pipeline"
      RoleArn: !GetAtt CodePipelineRole.Arn
      RestartExecutionOnUpdate: true
      Stages:
      - Name: Source
        Actions:
        - Name: get-source-code
          InputArtifacts: []
          OutputArtifacts:
          - Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-SourceArtifact"
          ActionTypeId:
            Category: Source
            Owner: AWS
            Provider: CodeCommit
            Version: "1"
          Configuration:
            RepositoryName: !Ref CodeCommitRepoName
            BranchName: !Ref CodeCommitRepoBranch
          RunOrder: 1
      - Name: Build
        Actions:
        - Name: build-from-source
          InputArtifacts:
          - Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-SourceArtifact"
          OutputArtifacts:
          - Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-BuildArtifact"
          ActionTypeId:
            Category: Build
            Owner: AWS
            Version: "1"
            Provider: CodeBuild
          Configuration:
            ProjectName: !Ref CodeBuild
          RunOrder: 1
      - Name: Dev-Deploy
        Actions:
        - Name: create-changeset
          InputArtifacts:
          - Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-BuildArtifact"
          OutputArtifacts: []
          ActionTypeId:
            Category: Deploy
            Owner: AWS
            Version: "1"
            Provider: CloudFormation
          Configuration:
            StackName: !Sub "${ClientName}-${ProjectName}-${FunctionName}-dev"
            ActionMode: CHANGE_SET_REPLACE
            ChangeSetName: app-changeset-dev
            Capabilities: CAPABILITY_NAMED_IAM
            TemplatePath: !Sub "BuildArtifact::${SAMOutputFile}"
            RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cloudformation-role"
          RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cross-account-role"
          RunOrder: 1
        - Name: execute-changeset
          InputArtifacts: []
          OutputArtifacts: []
          ActionTypeId:
            Category: Deploy
            Owner: AWS
            Version: "1"
            Provider: CloudFormation
          Configuration:
            StackName: !Sub "${ClientName}-${ProjectName}-${FunctionName}-dev"
            ActionMode: CHANGE_SET_EXECUTE
            ChangeSetName: app-changeset-dev
            RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cloudformation-role"
          RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cross-account-role"
          RunOrder: 2
      ArtifactStore:
        Type: S3
        Location: !Ref S3ArtifactBucket
        EncryptionKey:
          Id: !Ref KMSKey
          Type: KMS

账户 B

**CrossAccountRole**:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${ProjectName}-cross-account-role"
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${CIAccountId}:root"
            Action: sts:AssumeRole
  **CrossAccountPolicy**:
    Type: AWS::IAM::Policy
    DependsOn: CrossAccountRole
    Properties:
      PolicyName: CrossAccountPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - cloudformation:*
              - codebuild:*
              - s3:*
              - iam:PassRole
            Resource: "*"
          - Effect: Allow
            Action: ["kms:Decrypt", "kms:Encrypt"]
            Resource: !Ref KMSKey
      Roles: [!Ref CrossAccountRole]

Answer 1

我在角色名称上写错了，在账户A中我提到了

${ClientName}-${ProjectName}-codepipeline-crossaccounts

并且在账户 B 中它被命名为

${ProjectName}-codepipeline-crossaccounts

aws 管道角色无权对跨账户角色执行 AssumeRole

aws pipeline role is not authorized to perform AssumeRole on cross account role

amazon-web-services

amazon-cloudformation

aws-kms

aws-codepipeline

amazon-ami

账户 A

账户 B