跨账户访问 CodeArtifact 存储库
Cross account access to a CodeArtifact repo
我在帐户 A 中有一个具有管理员权限的 IAM 用户,并且 arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess 附加了一个很好的措施。
来自账户 A 的 iam 用户的 arn 为 arn:aws:iam::***:user/test-user。
账户 B 有一个 CodeArtifact 存储库,其 arn 为 arn:aws:codeartifact:***:***:domain/test-repo。此 repo 的资源策略为
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:user/test-user"
},
"Action": "codeartifact:*",
"Resource": "*"
}
]
}
当 运行 AWS CLI 命令时,我正在使用账户 A 中 IAM 用户的访问密钥。以下命令有效:
$ aws codeartifact get-repository-endpoint --domain test-repo --domain-owner *** --query repositoryEndpoint --output text --repository test --format pypi
结果
https://test-repo-***.d.codeartifact.***.amazonaws.com/pypi/test/
这表明我的资源策略正在运行(将 Effect 翻转为 Deny 成功会使上述命令失败)。
但是,下面的命令
$ aws codeartifact get-authorization-token --domain test-repo --domain-owner *** --query authorizationToken --output text
失败
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam:::user/test-user is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact::***:domain/test-repo
我相信我已经遵循了此处的文档:
- https://docs.aws.amazon.com/codeartifact/latest/ug/repo-policies.html#granting-read-access-to-specific-principals
- https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html
我想通过指定的委托人来完成这项工作,并且不想担任任何角色,因为这会使我的 CI/CD 管道变得复杂
根据 documentation,您还需要在访问策略中添加 "sts:GetServiceBearerToken" 访问权限。
The codeartifact:GetAuthorizationToken and sts:GetServiceBearerToken permissions are required to call the GetAuthorizationToken API.
其次,在您的用户权限中,在您的访问策略中明确提及 codeartifact 资源,就像您在资源策略中提到 IAM 用户一样。
例如
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codeartifact:*"
],
"Effect": "Allow",
"Resource": "<insert cross account resource's ARN>"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "<insert cross account resource's ARN>",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
几天来我一直遇到同样的问题,最后发现需要对存储库和 codeartifact 域都应用一个策略。
此示例使用基于组织的策略,但任何主体都应该有效,唯一重要的部分是 sts:GetServiceBearerToken
的许可
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ContributorPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"codeartifact:*",
"sts:GetServiceBearerToken"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxx"
}
}
}
}
}
我们必须做几件事:
- 具有 CodeArtifact 的 AWS 帐户:(域级别)> Edit/Create 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<OTHER_AWS_ACCCOUNT_ID>:root"
},
"Action": "codeartifact:GetAuthorizationToken",
"Resource": "*"
}
]
}
- 具有 CodeArtifact 的 AWS 帐户:(存储库级别)> Edit/Create 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<OTHER_AWS_ACCCOUNT_ID>:root"
},
"Action": [
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository"
],
"Resource": "arn:aws:codeartifact:*:<CURRENT_AWS_ACCCOUNT_ID>:repository/<REPOSITORY_NAME>/*"
}
]
}
- 带有 Amplify 应用程序的 AWS 账户:(与上述 1 和 2 不同的账户)常规 > 服务角色 > Edit/Create 服务角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
这解决了我们的 cross-account NPM 包 运行 angular app.
我在帐户 A 中有一个具有管理员权限的 IAM 用户,并且 arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess 附加了一个很好的措施。
来自账户 A 的 iam 用户的 arn 为 arn:aws:iam::***:user/test-user。
账户 B 有一个 CodeArtifact 存储库,其 arn 为 arn:aws:codeartifact:***:***:domain/test-repo。此 repo 的资源策略为
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:user/test-user"
},
"Action": "codeartifact:*",
"Resource": "*"
}
]
}
当 运行 AWS CLI 命令时,我正在使用账户 A 中 IAM 用户的访问密钥。以下命令有效:
$ aws codeartifact get-repository-endpoint --domain test-repo --domain-owner *** --query repositoryEndpoint --output text --repository test --format pypi
结果
https://test-repo-***.d.codeartifact.***.amazonaws.com/pypi/test/
这表明我的资源策略正在运行(将 Effect 翻转为 Deny 成功会使上述命令失败)。
但是,下面的命令
$ aws codeartifact get-authorization-token --domain test-repo --domain-owner *** --query authorizationToken --output text
失败
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam:::user/test-user is not authorized to perform: codeartifact:GetAuthorizationToken on resource: arn:aws:codeartifact::***:domain/test-repo
我相信我已经遵循了此处的文档:
- https://docs.aws.amazon.com/codeartifact/latest/ug/repo-policies.html#granting-read-access-to-specific-principals
- https://docs.aws.amazon.com/codeartifact/latest/ug/auth-and-access-control-iam-identity-based-access-control.html
我想通过指定的委托人来完成这项工作,并且不想担任任何角色,因为这会使我的 CI/CD 管道变得复杂
根据 documentation,您还需要在访问策略中添加 "sts:GetServiceBearerToken" 访问权限。
The codeartifact:GetAuthorizationToken and sts:GetServiceBearerToken permissions are required to call the GetAuthorizationToken API.
其次,在您的用户权限中,在您的访问策略中明确提及 codeartifact 资源,就像您在资源策略中提到 IAM 用户一样。
例如
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codeartifact:*"
],
"Effect": "Allow",
"Resource": "<insert cross account resource's ARN>"
},
{
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "<insert cross account resource's ARN>",
"Condition": {
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
}
几天来我一直遇到同样的问题,最后发现需要对存储库和 codeartifact 域都应用一个策略。
此示例使用基于组织的策略,但任何主体都应该有效,唯一重要的部分是 sts:GetServiceBearerToken
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ContributorPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"codeartifact:*",
"sts:GetServiceBearerToken"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxx"
}
}
}
}
}
我们必须做几件事:
- 具有 CodeArtifact 的 AWS 帐户:(域级别)> Edit/Create 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<OTHER_AWS_ACCCOUNT_ID>:root"
},
"Action": "codeartifact:GetAuthorizationToken",
"Resource": "*"
}
]
}
- 具有 CodeArtifact 的 AWS 帐户:(存储库级别)> Edit/Create 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<OTHER_AWS_ACCCOUNT_ID>:root"
},
"Action": [
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository"
],
"Resource": "arn:aws:codeartifact:*:<CURRENT_AWS_ACCCOUNT_ID>:repository/<REPOSITORY_NAME>/*"
}
]
}
- 带有 Amplify 应用程序的 AWS 账户:(与上述 1 和 2 不同的账户)常规 > 服务角色 > Edit/Create 服务角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ReadFromRepository",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
这解决了我们的 cross-account NPM 包 运行 angular app.