0

我正在尝试在另一个 AWS 账户(AccountB)中创建一个管道,我的 codecommit 存储库位于另一个 AWS 账户(AccountA)中。我从这些链接中做了完全相同的方式:

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html https://cloudfornoobs.com/aws-codepipeline-with-cross-account-codecommit-repo/

但是,在执行管道后,我的构建总是失败。我的 pipeline.json 如下:

PS:我只想使用 codecommit 和 codebuild 我没有使用 CodeDeploy

 > {
    >     "pipeline": {
    >         "name": "newpipeline",
    >         "roleArn": "arn:aws:iam::AccountB:role/AccountBRole",
    >         "artifactStore": {
    >             "type": "S3",
    >             "location": "BucketForArtifactsFromAccountB",
    >             "encryptionKey": {
    >                 "id": "AccountB_KMS"
    >                 "type": "KMS"
    >             }
    >         },
    >         "stages": [
    >             {
    >                 "name": "Source",
    >                 "actions": [
    >                     {
    >                         "name": "Source1",
    >                         "actionTypeId": {
    >                             "category": "Source",
    >                             "owner": "AWS",
    >                             "provider": "CodeCommit",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "BranchName": "dev",
    >                             "PollForSourceChanges": "false",
    >                             "RepositoryName": "backend"
    >                         },
    >                         "outputArtifacts": [
    >                             {
    >                                 "name": "Source1"
    >                             }
    >                         ],
    >                         "inputArtifacts": [],
    >                         "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
    >                     }
    >                 ]
    >             },
    >             {
    >                 "name": "Build",
    >                 "actions": [
    >                     {
    >                         "name": "Build",
    >                         "actionTypeId": {
    >                             "category": "Build",
    >                             "owner": "AWS",
    >                             "provider": "CodeBuild",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "EnvironmentVariables": "[{\"name\":\"STAGE_NAME\",\"value\":\"dev\",\"type\":\"PLAINTEXT\"}]",
    >                             "PrimarySource": "Source1",
    >                             "ProjectName": "backend"
    >                         },
    >                     

         "outputArtifacts": [
            {
              "name": "BuildArtifact"
            } 
          ],
            "runOrder": 1,
            "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
          } 
        ] 
      } 
    ],
        "artifactStore": {
          "type": "S3",
          "location": "BucketForArtifactsFromAccountB",
          "encryptionKey": {
            "id": "AccountB_KMS",
            "type": "KMS"
          }
        },
        "version": 19
      }
    }
4

1 回答 1

0

在不同账户中使用 CodeCommit 时,触发管道启动的默认 CloudWatch 事件将由于跨账户而不起作用。这种粘合剂由 CloudWatch 的事件总线功能提供,可以将消息从账户 A 发送到 B。

脚步

在账户 A 中创建 Cloudwatch 事件规则,将事件转发到账户 B 的默认总线(存在管道)

Cloudwatch > 规则 > 新建 > 服务名称 - Codecommit 和事件类型是 Codecommit 存储库状态更改

事件模式如下所示:

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"         #Account A's codecommit repo ARN
  ]
}

选择目标以指向“另一个帐户的默认事件总线”。

目标>选择目标>另一个帐户中的事件总线>输入帐户ID>(管道帐户的ID,帐户B)

选择/创建一个有权将事件发送到另一个帐户的新角色。我已将 CloudwatchEventsFull Access 角色附加到它。

在账户 B 中(存在 Codepipeline 的地方)

允许默认事件总线从账户 A 接收事件

Cloudwatch > 事件总线 > 权限 > 添加权限 > AWS 账户 > 输入账户 A ID

一旦收到事件,创建将触发管道的新规则

Cloudwatch > rules > create new > Service name - Codecommit 和 Event type 是 Codecommit Repository State Change,输入账户 A 的 codepipeline 的 ARN。

事件模式将与以前相同,

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"      #Account A's codecommit repo ARN
  ]

使用管道 ARN 创建目标。您可以使用现有角色或新角色,该角色只需要访问即可触发管道。

至此,我们已经完成了 Cloudwatch Events 的创建。测试提交并验证管道是否已触发。

于 2020-11-05T11:32:24.183 回答