几天来,我一直无法弄清为什么一个AWS角色无权在另一个角色上执行AssumeRole。在这种情况下,我拥有一个具有AWS CodeCommit的开发者账户以及一个具有CodePipeline的工具账户。我试图允许CodePipeline(在工具中)访问CodeCommit(在开发人员中),但总是被告知,工具中的角色无权这样做。
这是我的CloudFormation模板,用于在dev中创建角色:
AWSTemplateFormatVersion: "2010-09-09"
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
ToolsAccount:
Description: AWS AccountNumber for tools account
Type: Number
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: access-codecommit-in-dev
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref ToolsAccount
Action:
- sts:AssumeRole
Path: /
Policy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codecommit:BatchGetRepositories
- codecommit:Get*
- codecommit:GitPull
- codecommit:List*
- codecommit:CancelUploadArchive
- codecommit:UploadArchive
- s3:*
Resource: "*"
Roles:
- !Ref Role
这里是创建CodePipeline的CloudFormation模板:
Description: "Code pipeline to deploy frontend"
Parameters:
DevAccount:
Description: AWS AccountNumber for dev
Type: Number
TestAccount:
Description: AWS AccountNumber for test
Type: Number
Resources:
BuildProjectRole:
Type: AWS::IAM::Role
Properties:
RoleName: codebuild-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
BuildProjectPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codebuild-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketNameHere"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
Roles:
- !Ref BuildProjectRole
PipeLineRole:
Type: AWS::IAM::Role
Properties:
RoleName: codepipeline-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Action:
- sts:AssumeRole
PipelinePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codepipeline-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codepipeline:*
- iam:ListRoles
- cloudformation:Describe*
- cloudFormation:List*
- codecommit:List*
- codecommit:Get*
- codecommit:GitPull
- codecommit:UploadArchive
- codecommit:CancelUploadArchive
- codebuild:BatchGetBuilds
- codebuild:StartBuild
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
- iam:PassRole
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Resource:
- "*"
- Effect: Allow
Action:
- s3:PutObject
- s3:GetBucketPolicy
- s3:GetObject
- s3:ListBucket
Resource:
- "bucketName"
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
Roles:
- !Ref PipeLineRole
FrontEndPipeline:
Type: "AWS::CodePipeline::Pipeline"
Properties:
ArtifactStore:
Type: "S3"
Location: "bucketName"
Name: "frontend-deploy"
RoleArn: !GetAtt PipeLineRole.Arn
Stages:
- Name: "Code-Fetch"
Actions:
- Name: "stage-source"
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
OutputArtifacts:
- Name: SourceCode
Configuration:
PollForSourceChanges: true
BranchName: develop
RepositoryName: "nameHere"
RunOrder: 1
RoleArn: !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access
- Name: Build
Actions:
- Name: "Build-Source"
ActionTypeId:
Category: Build
Owner: AWS
Version: "1"
Provider: CodeBuild
InputArtifacts:
- Name: SourceCode
OutputArtifacts:
- Name: DeployOutput
Configuration:
ProjectName: "CodeBuild"
RunOrder: 1
- Name: Deploy
Actions:
- Name: deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: "1"
Provider: S3
InputArtifacts:
- Name: DeployOutput
Configuration:
BucketName: "bucketNameHere"
Extract: true
#RoleArn: !Sub arn:aws:iam::${TestAccount}:role/cloudformationdeployer-role
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: "CodeBuild"
ServiceRole: !GetAtt BuildProjectRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Type: LINUX_CONTAINER
Image: node:13
Source:
Type: CODEPIPELINE
什么可能会产生此错误:
arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{DevAcciybt}:role/access-codecommit-in-dev (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: (ID here))
扮演角色arn:aws:iam :: {ToolsAccount}:role / projectName-codepipeline-role有权在开发人员帐户中担任该角色,如下所示:
{“ Sid”:“ AssumeCrossAccountRole”“效果”:“允许”,“ Actions”:“ sts:AssumeRole”,“资源”:“开发者帐户角色的ARN”}
其他尝试在AWS主体中传递ARN arn:aws:iam :: {ToolsAccount}:role / projectName-codepipeline-role,而不是您在开发人员账户中创建的角色的帐号