如何解决无法在代码管道操作AWS CDK上由代码管道承担角色
我一直在使用AWS CDK,并正在AWS educate account
上构建代码管道堆栈。我正在使用的用户具有足够的权限来访问和使用代码管道。我的问题是,AWS CDK为code pipeline action
是根帐户的Principle
的{{1}}生成角色。因此它无权执行在root帐户上承担的角色。
操作代码:
ARN
Cloudformation模板输出:
{
stageName: "Build",actions: [
new codepipelineActions.CodeBuildAction(
{
actionName: "Build",input: sourceOutput,project: builder
}
)
]
}
这将引发错误:
"devPipelineBuildCodePipelineActionRole8696D056": {
"Type": "AWS::IAM::Role","Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole","Effect": "Allow","Principal": {
"AWS": {
"Fn::Join": [
"",[
"arn:",{
"Ref": "AWS::Partition"
},":iam::",{
"Ref": "AWS::AccountId"
},":root"
]
]
}
}
}
],"Version": "2012-10-17"
}
},"Metadata": {
"aws:cdk:path": "PipeLineStack/dev-Pipeline/Build/Build/CodePipelineActionRole/Resource"
}
}
...
{
"Actions": [
{
"ActionTypeId": {
"Category": "Build","Owner": "AWS","Provider": "CodeBuild","Version": "1"
},"Configuration": {
"ProjectName": {
"Ref": "BuildAndTestB9A2F419"
}
},"InputArtifacts": [
{
"Name": "SourceOutput"
}
],"Name": "Build","RoleArn": {
"Fn::GetAtt": [
"devPipelineBuildCodePipelineActionRole8696D056","Arn"
]
},"RunOrder": 1
}
],"Name": "Build"
}
如果我从arn:aws:iam::acount_id:role/PipeLineStack-devPipelineRole5B29FEBC-1JK24J0K5N1UG is not authorized to perform AssumeRole on role arn:aws:iam::acount_id:
role/PipeLineStack-devPipelineBuildCodePipelineActionRo-17ETJU1KZCCNQ (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Req
uest ID: c8c8af89-2409-4cc1-aad8-4de553a1764f; Proxy: null)
中删除了RoleArn
并执行了它可以工作的模板。
我的问题是,如何防止CDK阻止使用root帐户或变通方法在Principle中添加默认角色?
解决方法
当前似乎不允许操作在AWS Educate中扮演任何角色。因此,要解决此问题并消除人工开销,请使用CDK L1 Constructs修改生成的云形成。
可以像这样创建管道:
// Custom role to pass in to pipeline
const pipeLineRole = new iam.Role(this,"CodePipeLineRole",{
assumedBy: new iam.ServicePrincipal("codepipeline.amazonaws.com"),});
pipeLineRole.addToPolicy(
// Required policy for each aciton to run
)
const pipeline = new codepipeline.Pipeline(this,"Pipeline",{
role: pipeLineRole,stages: [
// ...
{
actions: [action1,action2],},// ...
],});
// Altering cloudformation to remove role arn from actions
const pipelineCfn = pipeline.node.defaultChild as cdk.CfnResource;
// addDeletionOverride removes the property from the cloudformation itself
// Delete action arn for every stage and action created
pipelineCfn.addDeletionOverride("Properties.Stages.1.Actions.0.RoleArn");
pipelineCfn.addDeletionOverride("Properties.Stages.2.Actions.0.RoleArn");
pipelineCfn.addDeletionOverride("Properties.Stages.3.Actions.0.RoleArn");
这是一种解决方法,它可以工作,但是仍然存在创建的有害策略和角色,这些策略和角色尚未分配给针对单个操作创建的任何服务。
,管道配置中的以下代码:
"RoleArn": {
"Fn::GetAtt": [
"devPipelineBuildCodePipelineActionRole8696D056","Arn"
]
},
...表示当CodePipeline服务将调用“ Build”操作时,它将“承担”角色“ devPipelineBuildCodePipelineActionRole8696D056”,但是此角色与“ codepipeline.amazonaws.com”服务没有信任策略,因此会出现错误。
当您有跨帐户操作(CodeBuild项目位于另一个帐户中)时,该操作下的'RoleArn'属性很有用,因此除非是这种情况,否则最好删除此属性。
我们将需要查看cdk代码来回答您的问题:
如何防止CDK阻止使用root帐户或替代方法在Principle中添加默认角色?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。