Я пытаюсь создать ресурс конвейера кода, используя шаблон стека формирования облака, где конвейер используется для развертывания lamda в кросс-аккаунтах.
При создании конвейера кода через облако возникает следующая ошибка стек информации
arn:aws:iam::{AccountA}:role/testclient-testapp-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{AccountB}:role/testclient-testapp-cross-account-role (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException)
Я прикрепил роли, политики и ресурсы, которые использовались в шаблонах формирования облаков.
Мне неясно, где ошибка, кто-то, пожалуйста, помогите мне в этом .
Счет A
**CodePipelineRole**:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ClientName}-${ProjectName}-codepipeline-role"
Path: /
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [codepipeline.amazonaws.com]
Action: sts:AssumeRole
**CodePipelinePolicy**:
Type: AWS::IAM::Policy
Properties:
PolicyName: CodePipelinePolicy
PolicyDocument:
Statement:
- Action: ["s3:*"]
Resource: "*"
Effect: Allow
- Action: ["codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus", "codecommit:UploadArchive"]
Resource: !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${ClientName}-${ProjectName}*"
Effect: Allow
- Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"]
Resource: !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ClientName}-${ProjectName}*"
Effect: Allow
- Action: ["cloudformation:DescribeStacks", "cloudformation:DescribeChangeSet", "cloudformation:CreateChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:DeleteChangeSet"]
Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ClientName}-${ProjectName}-${FunctionName}*/*"
Effect: Allow
- Action: ["iam:PassRole", "iam:ListRoles"]
Resource: "*"
Effect: Allow
- Action: ["sts:AssumeRole"]
Resource:
- !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-*"
Effect: Allow
- Action: ["kms:Decrypt", "kms:Encrypt"]
Resource: !GetAtt KMSKey.Arn
Effect: Allow
Roles: [!Ref CodePipelineRole]
**KMSKey**:
Type: AWS::KMS::Key
Description: Used by Assumed Roles in Dev/Stage/Prod accounts to Encrypt/Decrypt code
Properties:
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Id: !Ref AWS::StackName
Statement:
- Sid: Allows admin of the key
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: ["kms:*"]
Resource: "*"
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS:
- !Sub "arn:aws:iam::${DevAccountId}:root"
- !GetAtt CodePipelineRole.Arn
- !GetAtt CodeBuildRole.Arn
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: "*"
**KMSAlias**:
Type: AWS::KMS::Alias
Properties:
AliasName: !Sub alias/${ClientName}-${ProjectName}-codepipeline-crossaccounts
TargetKeyId: !Ref KMSKey
**CodePipeline**:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-pipeline"
RoleArn: !GetAtt CodePipelineRole.Arn
RestartExecutionOnUpdate: true
Stages:
- Name: Source
Actions:
- Name: get-source-code
InputArtifacts: []
OutputArtifacts:
- Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-SourceArtifact"
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: "1"
Configuration:
RepositoryName: !Ref CodeCommitRepoName
BranchName: !Ref CodeCommitRepoBranch
RunOrder: 1
- Name: Build
Actions:
- Name: build-from-source
InputArtifacts:
- Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-SourceArtifact"
OutputArtifacts:
- Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-BuildArtifact"
ActionTypeId:
Category: Build
Owner: AWS
Version: "1"
Provider: CodeBuild
Configuration:
ProjectName: !Ref CodeBuild
RunOrder: 1
- Name: Dev-Deploy
Actions:
- Name: create-changeset
InputArtifacts:
- Name: !Sub "${ClientName}-${ProjectName}-${FunctionName}-BuildArtifact"
OutputArtifacts: []
ActionTypeId:
Category: Deploy
Owner: AWS
Version: "1"
Provider: CloudFormation
Configuration:
StackName: !Sub "${ClientName}-${ProjectName}-${FunctionName}-dev"
ActionMode: CHANGE_SET_REPLACE
ChangeSetName: app-changeset-dev
Capabilities: CAPABILITY_NAMED_IAM
TemplatePath: !Sub "BuildArtifact::${SAMOutputFile}"
RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cloudformation-role"
RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cross-account-role"
RunOrder: 1
- Name: execute-changeset
InputArtifacts: []
OutputArtifacts: []
ActionTypeId:
Category: Deploy
Owner: AWS
Version: "1"
Provider: CloudFormation
Configuration:
StackName: !Sub "${ClientName}-${ProjectName}-${FunctionName}-dev"
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: app-changeset-dev
RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cloudformation-role"
RoleArn: !Sub "arn:aws:iam::${DevAccountId}:role/${ClientName}-${ProjectName}-cross-account-role"
RunOrder: 2
ArtifactStore:
Type: S3
Location: !Ref S3ArtifactBucket
EncryptionKey:
Id: !Ref KMSKey
Type: KMS
Счет B
**CrossAccountRole**:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ProjectName}-cross-account-role"
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${CIAccountId}:root"
Action: sts:AssumeRole
**CrossAccountPolicy**:
Type: AWS::IAM::Policy
DependsOn: CrossAccountRole
Properties:
PolicyName: CrossAccountPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudformation:*
- codebuild:*
- s3:*
- iam:PassRole
Resource: "*"
- Effect: Allow
Action: ["kms:Decrypt", "kms:Encrypt"]
Resource: !Ref KMSKey
Roles: [!Ref CrossAccountRole]