我有两个 AWS 账户:
DEV: 111111111111
PROD: 999999999999
我在 prod 帐户中创建了一个代码提交仓库,名为prodRepo
.
我想要做的是允许DEV
和PROD
帐户上的 ec2 实例对此存储库具有只读访问权限。所以git clone
, git pull
, 等等...
PROD
我可以使用以下 IAM 实例配置文件在我的帐户上轻松完成此操作codecommit-tester
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:BatchGetRepositories",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*"
],
"Resource": "arn:aws:codecommit:us-east-1:999999999999:prodRepo"
}
]
}
信任关系政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
}
然后,我使用 git config 中的 aws 凭证助手来执行只读 git 操作,而不必在我的机器上存储凭证(它从实例元数据中获取代码提交的凭证)。
$ cat ~/.gitconfig
[credential]
helper = !aws codecommit credential-helper $@
UseHttpPath = true
我遇到的问题是在帐户上创建 IAM 策略/角色DEV
以执行与帐户相同的操作PROD
。这是我尝试过的。
我在帐户上编辑了信任关系PROD
以信任 DEV 帐户:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole"
}
}
现在我认为这意味着该DEV
帐户可以承担这个角色。在DEV
帐户上,我创建了附加到角色的这些 IAM 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:BatchGetRepositories",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*"
],
"Resource": "arn:aws:codecommit:us-east-1:999999999999:prodRepo"
}
]
}
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::999999999999:role/codecommit-tester"
}
}
在使用此 IAM 实例配置文件启动 ec2 实例后,我在 DEV 帐户上使用凭证助手,并且在执行以下操作时出现此错误git clone
:
$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/prodRepo
Cloning into 'prodRepo'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/prodRepo/': The requested URL returned error: 403
那么,我在 IAM 角色/政策中遗漏了什么DEV
以使这项工作发挥作用?