跨账户代码流水线
cross account CodePipeline
我正在尝试在另一个 AWS 账户 (AccountB) 中创建管道,而我的代码提交存储库位于另一个 AWS 账户 (AccountA) 中。我通过这些链接做了完全相同的方式:
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
https://cloudfornoobs.com/aws-codepipeline-with-cross-account-codecommit-repo/
然而,在执行管道后,我的构建总是失败。我的 pipeline.json 如下:
PS:我只想使用 codecommit 和 codebuild 我没有使用 CodeDeploy
> {
> "pipeline": {
> "name": "newpipeline",
> "roleArn": "arn:aws:iam::AccountB:role/AccountBRole",
> "artifactStore": {
> "type": "S3",
> "location": "BucketForArtifactsFromAccountB",
> "encryptionKey": {
> "id": "AccountB_KMS"
> "type": "KMS"
> }
> },
> "stages": [
> {
> "name": "Source",
> "actions": [
> {
> "name": "Source1",
> "actionTypeId": {
> "category": "Source",
> "owner": "AWS",
> "provider": "CodeCommit",
> "version": "1"
> },
> "runOrder": 1,
> "configuration": {
> "BranchName": "dev",
> "PollForSourceChanges": "false",
> "RepositoryName": "backend"
> },
> "outputArtifacts": [
> {
> "name": "Source1"
> }
> ],
> "inputArtifacts": [],
> "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
> }
> ]
> },
> {
> "name": "Build",
> "actions": [
> {
> "name": "Build",
> "actionTypeId": {
> "category": "Build",
> "owner": "AWS",
> "provider": "CodeBuild",
> "version": "1"
> },
> "runOrder": 1,
> "configuration": {
> "EnvironmentVariables": "[{\"name\":\"STAGE_NAME\",\"value\":\"dev\",\"type\":\"PLAINTEXT\"}]",
> "PrimarySource": "Source1",
> "ProjectName": "backend"
> },
>
"outputArtifacts": [
{
"name": "BuildArtifact"
}
],
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountA:role/AccountARole"
}
]
}
],
"artifactStore": {
"type": "S3",
"location": "BucketForArtifactsFromAccountB",
"encryptionKey": {
"id": "AccountB_KMS",
"type": "KMS"
}
},
"version": 19
}
}
在不同账户中使用 CodeCommit 时,触发管道启动的默认 CloudWatch 事件将因跨账户而不起作用。此胶水由 CloudWatch 的 Event bus 功能提供,可以将消息从帐户 A 发送到 B。
步骤
在账户 A 中创建 Cloudwatch 事件规则,将事件转发到账户 B 的默认总线(存在管道)
Cloudwatch > 规则 > 新建 > 服务名称 - Codecommit 和事件类型是 Codecommit 存储库状态更改
事件模式如下所示:
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:AccountAid:RepoName" #Account A's codecommit repo ARN
]
}
Select 指向“另一个帐户的默认事件总线”的目标。
目标 > select 目标 > 另一个账户中的事件总线 > 输入账户 ID >(管道账户的 ID,账户 B)
Select /创建一个新角色,该角色有权将事件发送到另一个帐户。我已将 CloudwatchEventsFull Access 角色附加到它。
在账户 B 中(存在 Codepipeline 的地方)
允许默认事件总线接收来自账户 A 的事件
Cloudwatch > 事件总线 > 权限 > 添加权限 > AWS 账户 > 输入账户 A ID
一旦收到事件,创建一个将触发管道的新规则
Cloudwatch > rules > create new > Service name - Codecommit 和 Event type 是 Codecommit Repository State Change,输入账户 A 的代码管道的 ARN。
事件模式和以前一样,
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:AccountAid:RepoName" #Account A's codecommit repo ARN
]
使用管道 ARN 创建目标。您可以使用现有角色或新角色,此角色只需要访问即可触发管道。
至此我们已经完成了Cloudwatch Events的创建。测试提交并验证管道是否已触发。
我正在尝试在另一个 AWS 账户 (AccountB) 中创建管道,而我的代码提交存储库位于另一个 AWS 账户 (AccountA) 中。我通过这些链接做了完全相同的方式:
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html https://cloudfornoobs.com/aws-codepipeline-with-cross-account-codecommit-repo/
然而,在执行管道后,我的构建总是失败。我的 pipeline.json 如下:
PS:我只想使用 codecommit 和 codebuild 我没有使用 CodeDeploy
> {
> "pipeline": {
> "name": "newpipeline",
> "roleArn": "arn:aws:iam::AccountB:role/AccountBRole",
> "artifactStore": {
> "type": "S3",
> "location": "BucketForArtifactsFromAccountB",
> "encryptionKey": {
> "id": "AccountB_KMS"
> "type": "KMS"
> }
> },
> "stages": [
> {
> "name": "Source",
> "actions": [
> {
> "name": "Source1",
> "actionTypeId": {
> "category": "Source",
> "owner": "AWS",
> "provider": "CodeCommit",
> "version": "1"
> },
> "runOrder": 1,
> "configuration": {
> "BranchName": "dev",
> "PollForSourceChanges": "false",
> "RepositoryName": "backend"
> },
> "outputArtifacts": [
> {
> "name": "Source1"
> }
> ],
> "inputArtifacts": [],
> "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
> }
> ]
> },
> {
> "name": "Build",
> "actions": [
> {
> "name": "Build",
> "actionTypeId": {
> "category": "Build",
> "owner": "AWS",
> "provider": "CodeBuild",
> "version": "1"
> },
> "runOrder": 1,
> "configuration": {
> "EnvironmentVariables": "[{\"name\":\"STAGE_NAME\",\"value\":\"dev\",\"type\":\"PLAINTEXT\"}]",
> "PrimarySource": "Source1",
> "ProjectName": "backend"
> },
>
"outputArtifacts": [
{
"name": "BuildArtifact"
}
],
"runOrder": 1,
"roleArn": "arn:aws:iam::AccountA:role/AccountARole"
}
]
}
],
"artifactStore": {
"type": "S3",
"location": "BucketForArtifactsFromAccountB",
"encryptionKey": {
"id": "AccountB_KMS",
"type": "KMS"
}
},
"version": 19
}
}
在不同账户中使用 CodeCommit 时,触发管道启动的默认 CloudWatch 事件将因跨账户而不起作用。此胶水由 CloudWatch 的 Event bus 功能提供,可以将消息从帐户 A 发送到 B。
步骤
在账户 A 中创建 Cloudwatch 事件规则,将事件转发到账户 B 的默认总线(存在管道)
Cloudwatch > 规则 > 新建 > 服务名称 - Codecommit 和事件类型是 Codecommit 存储库状态更改
事件模式如下所示:
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:AccountAid:RepoName" #Account A's codecommit repo ARN
]
}
Select 指向“另一个帐户的默认事件总线”的目标。
目标 > select 目标 > 另一个账户中的事件总线 > 输入账户 ID >(管道账户的 ID,账户 B)
Select /创建一个新角色,该角色有权将事件发送到另一个帐户。我已将 CloudwatchEventsFull Access 角色附加到它。
在账户 B 中(存在 Codepipeline 的地方)
允许默认事件总线接收来自账户 A 的事件
Cloudwatch > 事件总线 > 权限 > 添加权限 > AWS 账户 > 输入账户 A ID
一旦收到事件,创建一个将触发管道的新规则
Cloudwatch > rules > create new > Service name - Codecommit 和 Event type 是 Codecommit Repository State Change,输入账户 A 的代码管道的 ARN。
事件模式和以前一样,
{
"source": [
"aws.codecommit"
],
"detail-type": [
"CodeCommit Repository State Change"
],
"resources": [
"arn:aws:codecommit:us-east-1:AccountAid:RepoName" #Account A's codecommit repo ARN
]
使用管道 ARN 创建目标。您可以使用现有角色或新角色,此角色只需要访问即可触发管道。
至此我们已经完成了Cloudwatch Events的创建。测试提交并验证管道是否已触发。