Codepipeline 跨账号访问 Codecommit

{"value":"\n\n#### **背景**\n\n\n大型企业中代码仓库通常存放在各部门开发账户中，而流水线则位于独立 DevOps 账户中。\n\n本文我们将介绍如何创建跨账号访问 Codecommit 代码仓库的 Codepipeline 流水线，即 CodePipeline 调用另一个账号中的 Codecommit 代码仓库。\n\n\n#### **部署架构图**\n\n\n![image.png](https://dev-media.amazoncloud.cn/97503556d2e242e794224e9231c4a702_image.png)\n\n权限配置\n\n1. CodePipeline 执行 role – CodePipelineServiceRole，关键 IAM Policy：允许 CodePipeline assume account B 中的角色 “AssumeAdminRole”。\n2. AssumeAdminRole – CodePipeline-SourceStage 实际执行 role，添加 policy 以具有以下权限\n - 允许被 Account A 中 CodePipeline Assume\n - 允许访问本账户中的 CodeCommit\n - 允许访问 Account A 中的 S3桶（存放 sourceArtifact）\n - 允许访问 Account A 中的 KMS\n3. 配置 KMS Policy，允许 CodePipelineServiceRole 和 AssumeAdminRole 访问 kms 中相应的key\n4. 配置 S3 Bucket Policy，允许 AssumeAdminRole 访问 S3中相应的bucket\n5. CodeBuild 执行 role，可配置为自动生成，不是本文重点\n\n流水线执行过程\n\n1. 触发流水线\n2. SourceStage 中首先 assume AssumeAdminRole，获得访问 CodeCommit 权限\n3. 从 AccountB CodeCommit 代码仓库拉取代码\n4. 将放 sourceArtifact 存入 S3桶\n5. S3服务端加密\n6. 执行 Build Stage: CodeBuild\n\n\n#### **账号准备**\n\n\n选择您所在的 region，本文以北京 Region 为例。\n\n准备两个 Amazon 主账号：\n\n- 代码仓库账号 B：提供 Codecommit 服务，源代码放在这里。\n- pipeline 账号 A：提供 Codepipeline 服务，以及相关联的codebuild、kms 密钥和 s3桶\n\n\n##### **代码仓库账号 B**\n\n\n##### **一、创建跨账号 IAM Role**\n\n\n该 Role 命名为 assume-admin-role，使用权限如下：\n\n```\\n{\\n \\"Version\\": \\"2012-10-17\\",\\n \\"Statement\\": [\\n {\\n \\"Sid\\": \\"VisualEditor0\\",\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"s3:PutObject\\",\\n \\"kms:Decrypt\\",\\n \\"kms:Encrypt\\",\\n \\"kms:DescribeKey\\",\\n \\"s3:GetObject*\\",\\n \\"s3:PutObjectAcl\\",\\n \\"kms:ReEncrypt*\\",\\n \\"kms:GenerateDataKey*\\"\\n ],\\n \\"Resource\\": [\\n \\" arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX \\",\\n \\"arn:aws-cn:s3:::codecommit-sdv-cross-account/*\\"\\n ]\\n },\\n {\\n \\"Sid\\": \\"VisualEditor1\\",\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"codecommit:List*\\"\\n ],\\n \\"Resource\\": \\"arn:aws-cn:s3:::codecommit-sdv-cross-account/*\\"\\n }\\n ]\\n}\\n```\n\n该 Role 的信任关系如下：\n\n```\\n{\\n \\"Version\\": \\"2012-10-17\\",\\n \\"Statement\\": [\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Principal\\": {\\n \\"AWS\\": [\\n \\"arn:aws-cn:iam::<Account_A_ID>:root\\"\\n ]\\n },\\n \\"Action\\": \\"sts:AssumeRole\\"\\n }\\n ]\\n}\\n```\n\n\n##### **二、创建 CodeCommit Repository**\n\n\n该 Repo 命名为：cros-account-b-repo，并在该 Repo 中创建文件 demo.txt。\n\n![image.png](https://dev-media.amazoncloud.cn/29e636f61b324daea08f5c82c6e7ab89_image.png)\n\n\n#### **流水线账号 A**\n\n\n##### **三、创建 Codepipeline IAM Role**\n\n\n创建 IAM Role，名为：AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros，为 Codepipeline 的创建做准备。\n\n该 role 关联 Codepipeline 默认 Role 的权限策略，具体如下：\n\n```\\n{\\n \\"Statement\\": [\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"iam:PassRole\\"\\n ],\\n \\"Resource\\": \\"*\\",\\n \\"Condition\\": {\\n \\"StringEqualsIfExists\\": {\\n \\"iam:PassedToService\\": [\\n \\"cloudformation.amazonaws.com\\",\\n \\"elasticbeanstalk.amazonaws.com\\",\\n \\"ec2.amazonaws.com\\",\\n \\"ecs-tasks.amazonaws.com\\"\\n ]\\n }\\n }\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"codecommit:CancelUploadArchive\\",\\n \\"codecommit:GetBranch\\",\\n \\"codecommit:GetCommit\\",\\n \\"codecommit:GetRepository\\",\\n \\"codecommit:GetUploadArchiveStatus\\",\\n \\"codecommit:UploadArchive\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"codedeploy:CreateDeployment\\",\\n \\"codedeploy:GetApplication\\",\\n \\"codedeploy:GetApplicationRevision\\",\\n \\"codedeploy:GetDeployment\\",\\n \\"codedeploy:GetDeploymentConfig\\",\\n \\"codedeploy:RegisterApplicationRevision\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"elasticbeanstalk:*\\",\\n \\"ec2:*\\",\\n \\"elasticloadbalancing:*\\",\\n \\"autoscaling:*\\",\\n \\"cloudwatch:*\\",\\n \\"s3:*\\",\\n \\"sns:*\\",\\n \\"cloudformation:*\\",\\n \\"rds:*\\",\\n \\"sqs:*\\",\\n \\"ecs:*\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"lambda:InvokeFunction\\",\\n \\"lambda:ListFunctions\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"cloudformation:CreateStack\\",\\n \\"cloudformation:DeleteStack\\",\\n \\"cloudformation:DescribeStacks\\",\\n \\"cloudformation:UpdateStack\\",\\n \\"cloudformation:CreateChangeSet\\",\\n \\"cloudformation:DeleteChangeSet\\",\\n \\"cloudformation:DescribeChangeSet\\",\\n \\"cloudformation:ExecuteChangeSet\\",\\n \\"cloudformation:SetStackPolicy\\",\\n \\"cloudformation:ValidateTemplate\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"codebuild:BatchGetBuilds\\",\\n \\"codebuild:StartBuild\\",\\n \\"codebuild:BatchGetBuildBatches\\",\\n \\"codebuild:StartBuildBatch\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"servicecatalog:ListProvisioningArtifacts\\",\\n \\"servicecatalog:CreateProvisioningArtifact\\",\\n \\"servicecatalog:DescribeProvisioningArtifact\\",\\n \\"servicecatalog:DeleteProvisioningArtifact\\",\\n \\"servicecatalog:UpdateProduct\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"cloudformation:ValidateTemplate\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"ecr:DescribeImages\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"states:DescribeExecution\\",\\n \\"states:DescribeStateMachine\\",\\n \\"states:StartExecution\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n },\\n {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": [\\n \\"appconfig:StartDeployment\\",\\n \\"appconfig:StopDeployment\\",\\n \\"appconfig:GetDeployment\\"\\n ],\\n \\"Resource\\": \\"*\\"\\n }\\n ],\\n \\"Version\\": \\"2012-10-17\\"\\n}\\n```\n\n除了默认权限策略，为了提供跨账号调用，该 Role 还需要加入如下权限策略：\n\n```\\n{\\n \\"Version\\": \\"2012-10-17\\",\\n \\"Statement\\": {\\n \\"Effect\\": \\"Allow\\",\\n \\"Action\\": \\"sts:AssumeRole\\",\\n \\"Resource\\": [\\n \\"arn:aws-cn:iam::<Account_B_ID>:role/*\\"\\n ]\\n }\\n}\\n```\n\n\n##### **四、创建 KMS 秘钥**\n\n\n创建名为：account_a_cros_kms 的 KMS 秘钥。\n\n![image.png](https://dev-media.amazoncloud.cn/cbe271c6de434ae8a3ca04cce90e7d6c_image.png)\n\n![image.png](https://dev-media.amazoncloud.cn/9b7e3a89cc764a799e2a1f941734cc45_image.png)\n\n![image.png](https://dev-media.amazoncloud.cn/63ab2e9705034ae4b8c89e67257d7a1f_image.png)\n\n![image.png](https://dev-media.amazoncloud.cn/d2ac686eef1d48839d84fdbe98b7bb17_image.png)\n\n在定义秘钥使用权限时，需要加入 Codepipeline 所关联的 Role（上一步创建名为：AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros 的 IAM Role）和 Account B 的账号 ID。记录 KMS ARN 为：arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX\\n\\n\\n##### **五、创建 S3桶**\\n\\n\\n这里创建名为：codecommit-sdv-cross-account 的 S3桶。\\n\\n![image.png](https://dev-media.amazoncloud.cn/fab3bf157009417c85fd27cc61082c62_image.png)\\n\\n这里 S3桶命名为 codecommit-sdv-cross-account。然后编辑存储桶权限，即权限->存储通权限，点击编辑按钮，添加如下 policy json:\\n\\n```\\n{\\n\\"Version\\": \\"2012-10-17\\",\\n \\"Statement\\": [\\n {\\n \\"Sid\\": \\"Statement1\\",\\n \\"Effect\\": \\"Allow\\",\\n \\"Principal\\": {\\n \\"AWS\\": \\"arn:aws-cn:iam::<Account_B_ID>:root\\"\\n },\\n \\"Action\\": [\\n \\"s3:Get*\\",\\n \\"s3:Put*\\"\\n ],\\n \\"Resource\\": \\"arn:aws-cn:s3:::codecommit-sdv-cross-account/*\\"\\n },\\n {\\n \\"Sid\\": \\"Statement2\\",\\n \\"Effect\\": \\"Allow\\",\\n \\"Principal\\": {\\n \\"AWS\\": \\"arn:aws-cn:iam:: <Account_B_ID>:root\\"\\n },\\n \\"Action\\": \\"s3:ListBucket\\",\\n \\"Resource\\": \\"arn:aws-cn:s3:::codecommit-sdv-cross-account\\"\\n }\\n ]\\n}\\n```\\n\\n\\n##### **六、创建 CodeBuild**\\n\\n\\n创建名为：sdv-build 的 codebuild 项目，供 codepipeline 调用。\\n\\n![image.png](https://dev-media.amazoncloud.cn/df2c24612be24e0f95da68d51cdc545a_image.png)\\n\\n在 Buildspec 中添加命令如下：\\n\\n![image.png](https://dev-media.amazoncloud.cn/2753d79bd4b04ffea1434f2fe3039af2_image.png)\\n\\n\\n##### **七、创建 Codepipeline**\\n\\n\\n对于跨账号调用 Codecommit 的 Codepipeline 只能通过 Amazon CLI 创建，准备如下 pipeline.json 文件，\\n\\n```\\n{\\n \\"pipeline\\": {\\n \\"roleArn\\": \\"arn:aws-cn:iam::<Account_A_ID>:role/service-role/AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros\\", \\n \\"stages\\": [\\n {\\n \\"name\\": \\"Source\\", \\n \\"actions\\": [\\n {\\n \\"inputArtifacts\\": [], \\n \\"name\\": \\"Source\\", \\n \\"region\\": \\"cn-north-1\\", \\n \\"namespace\\": \\"SourceVariables\\", \\n \\"actionTypeId\\": {\\n \\"category\\": \\"Source\\", \\n \\"owner\\": \\"AWS\\", \\n \\"version\\": \\"1\\", \\n \\"provider\\": \\"CodeCommit\\"\\n }, \\n \\"outputArtifacts\\": [\\n {\\n \\"name\\": \\"SourceArtifact\\"\\n }\\n ], \\n \\"roleArn\\":\\"arn:aws-cn:iam::<Account_B_ID>:role/assume-admin-role\\",\\n \\"configuration\\": {\\n \\"BranchName\\": \\"master\\", \\n \\"PollForSourceChanges\\": \\"false\\", \\n \\"RepositoryName\\": \\"cros-account-b-repo\\"\\n }, \\n \\"runOrder\\": 1\\n }\\n ]\\n }, \\n {\\n \\"name\\": \\"Build\\", \\n \\"actions\\": [\\n {\\n \\"inputArtifacts\\": [\\n {\\n \\"name\\": \\"SourceArtifact\\"\\n }\\n ], \\n \\"name\\": \\"Build\\", \\n \\"region\\": \\"cn-north-1\\", \\n \\"namespace\\": \\"BuildVariables\\", \\n \\"actionTypeId\\": {\\n \\"category\\": \\"Build\\", \\n \\"owner\\": \\"AWS\\", \\n \\"version\\": \\"1\\", \\n \\"provider\\": \\"CodeBuild\\"\\n }, \\n \\"outputArtifacts\\": [\\n {\\n \\"name\\": \\"BuildArtifact\\"\\n }\\n ], \\n \\"configuration\\": {\\n \\"ProjectName\\": \\"sdv-build\\"\\n }, \\n \\"runOrder\\": 1\\n }\\n ]\\n }\\n ], \\n \\"artifactStore\\": {\\n \\"type\\": \\"S3\\", \\n \\"location\\": \\"codecommit-sdv-cross-account\\",\\n \\"encryptionKey\\": {\\n \\"id\\": \\" arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX \\",\\n \\"type\\": \\"KMS\\"\\n }\\n },\\n \\"name\\": \\"pipeline-cros\\", \\n \\"version\\": 1\\n }\\n}\\n```\\n\\n这里计划在 Account A 创建名为 pipeline-cros的codepipeline，该 pipeline 以 Account B 的 codecommit repo: cros-account-b-repo (master branch) 作为源，并利用预先准备好的位于 Account A 的 codebuild 进行流水线的执行。\\n\\n使用如上 Json，并利用 Amazon cli 执行命令如下：\\n\\n![image.png](https://dev-media.amazoncloud.cn/ec10642ff5424b39b5b70b5854af4a07_image.png)\\n\\naws codepipeline create-pipeline –cli-input-json file://pipeline.json # 创建 pipeline\\n\\n同时 codebuild 会打印日志如下：\\n\\n```\\n……\\n[Container] 2022/07/18 03:23:11 Entering phase BUILD\\n[Container] 2022/07/18 03:23:11 Running command ls\\ndemo.txt\\n[Container] 2022/07/18 03:23:11 Phase complete: BUILD State: SUCCEEDED\\n……\\n```\\n\\n\\n#### **本篇作者**\\n\\n\\n![image.png](https://dev-media.amazoncloud.cn/017492bf612647db8259d5fedf26320c_image.png)\\n\\n\\n#### **王帅**\\n\\n\\nAmazon 专业服务团队 Devops 顾问。提倡融合文化，实践和工具的 Devops 理念，致力于帮助客户使组织能够以更高的速度和可靠性交付产品并获得业务价值。擅长平台规划，迁移和工具链设计。对新鲜事物充满热情\\n\\n![image.png](https://dev-media.amazoncloud.cn/5e131a94b88b49bda7950333d0467157_image.png)\\n\\n\\n#### **冯霄鹏**\\n\\n\\nAmazon 专业服务团队高级 DevOps 顾问。主要负责 DevOps 咨询和技术实施。在 DevSecOps 加速企业数字化转型方面领域拥有多年经验，对公有云、DevOps、基于云原生的微服务架构、敏捷加速研发效能等有深入的研究和热情。\\n","render":"<h4><a id=\\"_2\\"></a><strong>背景</strong></h4>\\n<p>大型企业中代码仓库通常存放在各部门开发账户中，而流水线则位于独立 DevOps 账户中。</p>\n<p>本文我们将介绍如何创建跨账号访问 Codecommit 代码仓库的 Codepipeline 流水线，即 CodePipeline 调用另一个账号中的 Codecommit 代码仓库。</p>\n<h4><a id=\\"_10\\"></a><strong>部署架构图</strong></h4>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/97503556d2e242e794224e9231c4a702_image.png\\" alt=\\"image.png\\" /></p>\n<p>权限配置</p>\n<ol>\\n<li>CodePipeline 执行 role – CodePipelineServiceRole，关键 IAM Policy：允许 CodePipeline assume account B 中的角色 “AssumeAdminRole”。</li>\n<li>AssumeAdminRole – CodePipeline-SourceStage 实际执行 role，添加 policy 以具有以下权限\\n<ul>\\n<li>允许被 Account A 中 CodePipeline Assume</li>\n<li>允许访问本账户中的 CodeCommit</li>\n<li>允许访问 Account A 中的 S3桶（存放 sourceArtifact）</li>\n<li>允许访问 Account A 中的 KMS</li>\n</ul>\\n</li>\n<li>配置 KMS Policy，允许 CodePipelineServiceRole 和 AssumeAdminRole 访问 kms 中相应的key</li>\n<li>配置 S3 Bucket Policy，允许 AssumeAdminRole 访问 S3中相应的bucket</li>\n<li>CodeBuild 执行 role，可配置为自动生成，不是本文重点</li>\n</ol>\\n<p>流水线执行过程</p>\n<ol>\\n<li>触发流水线</li>\n<li>SourceStage 中首先 assume AssumeAdminRole，获得访问 CodeCommit 权限</li>\n<li>从 AccountB CodeCommit 代码仓库拉取代码</li>\n<li>将放 sourceArtifact 存入 S3桶</li>\n<li>S3服务端加密</li>\n<li>执行 Build Stage: CodeBuild</li>\n</ol>\\n<h4><a id=\\"_37\\"></a><strong>账号准备</strong></h4>\\n<p>选择您所在的 region，本文以北京 Region 为例。</p>\n<p>准备两个 Amazon 主账号：</p>\n<ul>\\n<li>代码仓库账号 B：提供 Codecommit 服务，源代码放在这里。</li>\n<li>pipeline 账号 A：提供 Codepipeline 服务，以及相关联的codebuild、kms 密钥和 s3桶</li>\n</ul>\\n<h5><a id=\\"_B_48\\"></a><strong>代码仓库账号 B</strong></h5>\\n<h5><a id=\\"_IAM_Role_51\\"></a><strong>一、创建跨账号 IAM Role</strong></h5>\\n<p>该 Role 命名为 assume-admin-role，使用权限如下：</p>\n<pre><code class=\\"lang-\\">{\\n "Version": "2012-10-17",\\n "Statement": [\\n {\\n "Sid": "VisualEditor0",\\n "Effect": "Allow",\\n "Action": [\\n "s3:PutObject",\\n "kms:Decrypt",\\n "kms:Encrypt",\\n "kms:DescribeKey",\\n "s3:GetObject*",\\n "s3:PutObjectAcl",\\n "kms:ReEncrypt*",\\n "kms:GenerateDataKey*"\\n ],\\n "Resource": [\\n " arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX ",\\n "arn:aws-cn:s3:::codecommit-sdv-cross-account/*"\\n ]\\n },\\n {\\n "Sid": "VisualEditor1",\\n "Effect": "Allow",\\n "Action": [\\n "codecommit:List*"\\n ],\\n "Resource": "arn:aws-cn:s3:::codecommit-sdv-cross-account/*"\\n }\\n ]\\n}\\n</code></pre>\\n<p>该 Role 的信任关系如下：</p>\n<pre><code class=\\"lang-\\">{\\n "Version": "2012-10-17",\\n "Statement": [\\n {\\n "Effect": "Allow",\\n "Principal": {\\n "AWS": [\\n "arn:aws-cn:iam::<Account_A_ID>:root"\\n ]\\n },\\n "Action": "sts:AssumeRole"\\n }\\n ]\\n}\\n</code></pre>\\n<h5><a id=\\"_CodeCommit_Repository_110\\"></a><strong>二、创建 CodeCommit Repository</strong></h5>\\n<p>该 Repo 命名为：cros-account-b-repo，并在该 Repo 中创建文件 demo.txt。</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/29e636f61b324daea08f5c82c6e7ab89_image.png\\" alt=\\"image.png\\" /></p>\n<h4><a id=\\"_A_118\\"></a><strong>流水线账号 A</strong></h4>\\n<h5><a id=\\"_Codepipeline_IAM_Role_121\\"></a><strong>三、创建 Codepipeline IAM Role</strong></h5>\\n<p>创建 IAM Role，名为：AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros，为 Codepipeline 的创建做准备。</p>\n<p>该 role 关联 Codepipeline 默认 Role 的权限策略，具体如下：</p>\n<pre><code class=\\"lang-\\">{\\n "Statement": [\\n {\\n "Effect": "Allow",\\n "Action": [\\n "iam:PassRole"\\n ],\\n "Resource": "*",\\n "Condition": {\\n "StringEqualsIfExists": {\\n "iam:PassedToService": [\\n "cloudformation.amazonaws.com",\\n "elasticbeanstalk.amazonaws.com",\\n "ec2.amazonaws.com",\\n "ecs-tasks.amazonaws.com"\\n ]\\n }\\n }\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "codecommit:CancelUploadArchive",\\n "codecommit:GetBranch",\\n "codecommit:GetCommit",\\n "codecommit:GetRepository",\\n "codecommit:GetUploadArchiveStatus",\\n "codecommit:UploadArchive"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "codedeploy:CreateDeployment",\\n "codedeploy:GetApplication",\\n "codedeploy:GetApplicationRevision",\\n "codedeploy:GetDeployment",\\n "codedeploy:GetDeploymentConfig",\\n "codedeploy:RegisterApplicationRevision"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "elasticbeanstalk:*",\\n "ec2:*",\\n "elasticloadbalancing:*",\\n "autoscaling:*",\\n "cloudwatch:*",\\n "s3:*",\\n "sns:*",\\n "cloudformation:*",\\n "rds:*",\\n "sqs:*",\\n "ecs:*"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "lambda:InvokeFunction",\\n "lambda:ListFunctions"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "cloudformation:CreateStack",\\n "cloudformation:DeleteStack",\\n "cloudformation:DescribeStacks",\\n "cloudformation:UpdateStack",\\n "cloudformation:CreateChangeSet",\\n "cloudformation:DeleteChangeSet",\\n "cloudformation:DescribeChangeSet",\\n "cloudformation:ExecuteChangeSet",\\n "cloudformation:SetStackPolicy",\\n "cloudformation:ValidateTemplate"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "codebuild:BatchGetBuilds",\\n "codebuild:StartBuild",\\n "codebuild:BatchGetBuildBatches",\\n "codebuild:StartBuildBatch"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "servicecatalog:ListProvisioningArtifacts",\\n "servicecatalog:CreateProvisioningArtifact",\\n "servicecatalog:DescribeProvisioningArtifact",\\n "servicecatalog:DeleteProvisioningArtifact",\\n "servicecatalog:UpdateProduct"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "cloudformation:ValidateTemplate"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "ecr:DescribeImages"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "states:DescribeExecution",\\n "states:DescribeStateMachine",\\n "states:StartExecution"\\n ],\\n "Resource": "*"\\n },\\n {\\n "Effect": "Allow",\\n "Action": [\\n "appconfig:StartDeployment",\\n "appconfig:StopDeployment",\\n "appconfig:GetDeployment"\\n ],\\n "Resource": "*"\\n }\\n ],\\n "Version": "2012-10-17"\\n}\\n</code></pre>\\n<p>除了默认权限策略，为了提供跨账号调用，该 Role 还需要加入如下权限策略：</p>\n<pre><code class=\\"lang-\\">{\\n "Version": "2012-10-17",\\n "Statement": {\\n "Effect": "Allow",\\n "Action": "sts:AssumeRole",\\n "Resource": [\\n "arn:aws-cn:iam::<Account_B_ID>:role/*"\\n ]\\n }\\n}\\n</code></pre>\\n<h5><a id=\\"_KMS__287\\"></a><strong>四、创建 KMS 秘钥</strong></h5>\\n<p>创建名为：account_a_cros_kms 的 KMS 秘钥。</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/cbe271c6de434ae8a3ca04cce90e7d6c_image.png\\" alt=\\"image.png\\" /></p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/9b7e3a89cc764a799e2a1f941734cc45_image.png\\" alt=\\"image.png\\" /></p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/63ab2e9705034ae4b8c89e67257d7a1f_image.png\\" alt=\\"image.png\\" /></p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/d2ac686eef1d48839d84fdbe98b7bb17_image.png\\" alt=\\"image.png\\" /></p>\n<p>在定义秘钥使用权限时，需要加入 Codepipeline 所关联的 Role（上一步创建名为：AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros 的 IAM Role）和 Account B 的账号 ID。记录 KMS ARN 为：arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX</p>\n<h5><a id=\\"_S3_303\\"></a><strong>五、创建 S3桶</strong></h5>\\n<p>这里创建名为：codecommit-sdv-cross-account 的 S3桶。</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/fab3bf157009417c85fd27cc61082c62_image.png\\" alt=\\"image.png\\" /></p>\n<p>这里 S3桶命名为 codecommit-sdv-cross-account。然后编辑存储桶权限，即权限->存储通权限，点击编辑按钮，添加如下 policy json:</p>\n<pre><code class=\\"lang-\\">{\\n"Version": "2012-10-17",\\n "Statement": [\\n {\\n "Sid": "Statement1",\\n "Effect": "Allow",\\n "Principal": {\\n "AWS": "arn:aws-cn:iam::<Account_B_ID>:root"\\n },\\n "Action": [\\n "s3:Get*",\\n "s3:Put*"\\n ],\\n "Resource": "arn:aws-cn:s3:::codecommit-sdv-cross-account/*"\\n },\\n {\\n "Sid": "Statement2",\\n "Effect": "Allow",\\n "Principal": {\\n "AWS": "arn:aws-cn:iam:: <Account_B_ID>:root"\\n },\\n "Action": "s3:ListBucket",\\n "Resource": "arn:aws-cn:s3:::codecommit-sdv-cross-account"\\n }\\n ]\\n}\\n</code></pre>\\n<h5><a id=\\"_CodeBuild_342\\"></a><strong>六、创建 CodeBuild</strong></h5>\\n<p>创建名为：sdv-build 的 codebuild 项目，供 codepipeline 调用。</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/df2c24612be24e0f95da68d51cdc545a_image.png\\" alt=\\"image.png\\" /></p>\n<p>在 Buildspec 中添加命令如下：</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/2753d79bd4b04ffea1434f2fe3039af2_image.png\\" alt=\\"image.png\\" /></p>\n<h5><a id=\\"_Codepipeline_354\\"></a><strong>七、创建 Codepipeline</strong></h5>\\n<p>对于跨账号调用 Codecommit 的 Codepipeline 只能通过 Amazon CLI 创建，准备如下 pipeline.json 文件，</p>\n<pre><code class=\\"lang-\\">{\\n "pipeline": {\\n "roleArn": "arn:aws-cn:iam::<Account_A_ID>:role/service-role/AWSCodePipelineServiceRole-cn-north-1-sdv-pipeline-cros", \\n "stages": [\\n {\\n "name": "Source", \\n "actions": [\\n {\\n "inputArtifacts": [], \\n "name": "Source", \\n "region": "cn-north-1", \\n "namespace": "SourceVariables", \\n "actionTypeId": {\\n "category": "Source", \\n "owner": "AWS", \\n "version": "1", \\n "provider": "CodeCommit"\\n }, \\n "outputArtifacts": [\\n {\\n "name": "SourceArtifact"\\n }\\n ], \\n "roleArn":"arn:aws-cn:iam::<Account_B_ID>:role/assume-admin-role",\\n "configuration": {\\n "BranchName": "master", \\n "PollForSourceChanges": "false", \\n "RepositoryName": "cros-account-b-repo"\\n }, \\n "runOrder": 1\\n }\\n ]\\n }, \\n {\\n "name": "Build", \\n "actions": [\\n {\\n "inputArtifacts": [\\n {\\n "name": "SourceArtifact"\\n }\\n ], \\n "name": "Build", \\n "region": "cn-north-1", \\n "namespace": "BuildVariables", \\n "actionTypeId": {\\n "category": "Build", \\n "owner": "AWS", \\n "version": "1", \\n "provider": "CodeBuild"\\n }, \\n "outputArtifacts": [\\n {\\n "name": "BuildArtifact"\\n }\\n ], \\n "configuration": {\\n "ProjectName": "sdv-build"\\n }, \\n "runOrder": 1\\n }\\n ]\\n }\\n ], \\n "artifactStore": {\\n "type": "S3", \\n "location": "codecommit-sdv-cross-account",\\n "encryptionKey": {\\n "id": " arn:aws-cn:kms:cn-north-1:<Account_A_ID>:key/XXX-XXX-XXX-XXX ",\\n "type": "KMS"\\n }\\n },\\n "name": "pipeline-cros", \\n "version": 1\\n }\\n}\\n</code></pre>\\n<p>这里计划在 Account A 创建名为 pipeline-cros的codepipeline，该 pipeline 以 Account B 的 codecommit repo: cros-account-b-repo (master branch) 作为源，并利用预先准备好的位于 Account A 的 codebuild 进行流水线的执行。</p>\n<p>使用如上 Json，并利用 Amazon cli 执行命令如下：</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/ec10642ff5424b39b5b70b5854af4a07_image.png\\" alt=\\"image.png\\" /></p>\n<p>aws codepipeline create-pipeline –cli-input-json file://pipeline.json # 创建 pipeline</p>\n<p>同时 codebuild 会打印日志如下：</p>\n<pre><code class=\\"lang-\\">……\\n[Container] 2022/07/18 03:23:11 Entering phase BUILD\\n[Container] 2022/07/18 03:23:11 Running command ls\\ndemo.txt\\n[Container] 2022/07/18 03:23:11 Phase complete: BUILD State: SUCCEEDED\\n……\\n</code></pre>\\n<h4><a id=\\"_458\\"></a><strong>本篇作者</strong></h4>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/017492bf612647db8259d5fedf26320c_image.png\\" alt=\\"image.png\\" /></p>\n<h4><a id=\\"_464\\"></a><strong>王帅</strong></h4>\\n<p>Amazon 专业服务团队 Devops 顾问。提倡融合文化，实践和工具的 Devops 理念，致力于帮助客户使组织能够以更高的速度和可靠性交付产品并获得业务价值。擅长平台规划，迁移和工具链设计。对新鲜事物充满热情</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/5e131a94b88b49bda7950333d0467157_image.png\\" alt=\\"image.png\\" /></p>\n<h4><a id=\\"_472\\"></a><strong>冯霄鹏</strong></h4>\\n<p>Amazon 专业服务团队高级 DevOps 顾问。主要负责 DevOps 咨询和技术实施。在 DevSecOps 加速企业数字化转型方面领域拥有多年经验，对公有云、DevOps、基于云原生的微服务架构、敏捷加速研发效能等有深入的研究和热情。</p>\n"}

亚马逊云科技解决方案基于行业客户应用场景及技术领域的解决方案

联系亚马逊云科技专家