0

我正在尝试使用 ECS 蓝/绿部署设置 CodePipeline,其中部署位于不同的 AWS 账户中。

我一直在使用 ECS Blue/Green 和 CodePipeline 跨账户部署的两个指南。CodePipeline 与其 KMS 密钥、S3 工件存储桶和 ECR 存储库一起存在于账户 A 中。ECS 集群位于具有 CodeDeploy 设置的账户 B 中。

ECR、KMS 密钥和 S3 存储桶具有跨账户权限(错误时会出现不同的错误)。集群启动并运行,CodeDeploy 在账户 B 内调用时正常工作。

已在账户 B 中创建了一个角色供 CodePipeline 代入,并且它已授予账户 A 代入该角色的权限。此角色当前具有 AWSCodeDeployRoleForECS 策略(我打算在它起作用后减少它)

CodePipeline 失败并显示无用的消息

   "code": "PermissionError",
   "message": "The provided role does not have sufficient permissions to access CodeDeploy"
}```

The codepipeline role does have permission to access codedeploy as it's in the canned AWS policy. I can only assume there's some missing permission but I cannot find out what from this message.
4

2 回答 2

4

通过 CloudTrail 追踪后,我找到了答案。CodePipeline 部署角色缺少两个权限,我找不到文档记录,它们是ecs:RegisterTaskDefinitionECS iam:PassRoleContainer 角色。CodeDeploy 在部署期间承担了同样需要这些权限的不同角色,但看起来 CodePipeline 需要它们来启动部署。

我正在编写的文档中有一个 CodeDeploy 跨账户示例,但这是 CodeDeploy 到 EC2 而不是 ECS。

我对 CodePipeline 在帐户 B 中担任的角色的最终权限如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": [
            "codedeploy:CreateDeployment",
            "codedeploy:GetDeployment",
            "codedeploy:GetDeploymentConfig",
            "codedeploy:GetApplicationRevision",
            "codedeploy:RegisterApplicationRevision",
            "codedeploy:GetApplication",
            "ecs:RegisterTaskDefinition"
        ],
        "Resource": "*",
        "Effect": "Allow"
    },
    {
        "Action": [
            "s3:GetObject*",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "arn:aws:s3:::deployment_intermediate_bucket/*",
        "Effect": "Allow"
    },
    {
        "Action": [ "s3:ListBucket"],
        "Resource": "arn:aws:s3:::deployment_intermediate_bucket",
        "Effect": "Allow"
    },
    {
        "Effect": "Allow",
        "Action": [
            "kms:DescribeKey",
            "kms:GenerateDataKey*",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:Decrypt"
        ],
        "Resource": [
            "deployment_kms_key_arn"
        ]
    },
    {
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "ecs_container_role_arn"
    }
  ]
}

我将把它减少到所需的最低限度。

于 2019-06-26T23:14:47.017 回答
0

为了在这里提供帮助,遇到同样的问题/错误:

使用 Cloud-formation,我在账户 a 中有一个管道,在账户 b (TestingAccount) 中有一个 ecs bluegreen 操作:

        - Name: !Sub BlueGreenDeploy
          Actions:
            - Name: BlueGreenDeploy
              InputArtifacts:
              # - Name: PrepareCodeDeployOutput
              - Name: !Ref SourceArtifactName
              Region: !Ref DeployRegion1
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: '1'
                Provider: CodeDeployToECS
              RoleArn: !Sub arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole
              Configuration:

                AppSpecTemplateArtifact: !Ref SourceArtifactName
                AppSpecTemplatePath: appspec.json

                ApplicationName: ronantest1
                DeploymentGroupName: ronantest1
                
                TaskDefinitionTemplateArtifact: !Ref SourceArtifactName
                TaskDefinitionTemplatePath: taskdef.json

                Image1ArtifactName: !Ref SourceArtifactName
                Image1ContainerName: "IMAGE1_NAME"
              RunOrder: 4

在我尝试部署的任务定义中,我列出了以下角色:

    "taskRoleArn"
    "executionRoleArn"

管道在目标账户中承担的角色,即:

   arn:aws:iam::${TestingAccountId}:role/######/CrossAccountsDeploymentRole

它需要能够传递任务定义中列出的这两个角色。

希望这有意义并有所帮助。AWS 并没有从他们的文档中简化这些事情。

于 2021-03-16T21:52:23.083 回答