Шаблон CloudFormation CodePipeline не авторизован для преформования AssumeRole, почему?

Question

в течение нескольких дней я не смог выяснить, почему одна роль AWS не авторизована для выполнения AssumeRole для другой. В этом случае у меня есть dev-аккаунт с AWS CodeCommit и инструментальная учетная запись с CodePipeline. Я пытаюсь разрешить CodePipeline (в инструментах) доступ к CodeCommit (в dev), но мне всегда говорят, что роль в инструментах не авторизована для этого.

Вот мой шаблон CloudFormation для создания роли в dev:

AWSTemplateFormatVersion: "2010-09-09"
Description: Cross Account Role to Allow Access to CodePipeline in Tools Account
Parameters:
  ToolsAccount:
    Description: AWS AccountNumber for tools account
    Type: Number
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: access-codecommit-in-dev
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref ToolsAccount
            Action:
              - sts:AssumeRole
      Path: /

  Policy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub ToolsAcctCodePipelineCodeCommitPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - codecommit:BatchGetRepositories
              - codecommit:Get*
              - codecommit:GitPull
              - codecommit:List*
              - codecommit:CancelUploadArchive
              - codecommit:UploadArchive
              - s3:*
            Resource: "*"
      Roles:
        - !Ref Role

Вот шаблон CloudFormation, который создает CodePipeline:

Description: "Code pipeline to deploy frontend"

Parameters:
  DevAccount:
    Description: AWS AccountNumber for dev
    Type: Number
  TestAccount:
    Description: AWS AccountNumber for test
    Type: Number

Resources:
  BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: codebuild-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole

  BuildProjectPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: codebuild-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetBucketPolicy
              - s3:GetObject
              - s3:ListBucket
            Resource:
              - "bucketNameHere"
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource: arn:aws:logs:*:*:*
      Roles:
        - !Ref BuildProjectRole

  PipeLineRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: codepipeline-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
            Action:
              - sts:AssumeRole

  PipelinePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: codepipeline-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - codepipeline:*
              - iam:ListRoles
              - cloudformation:Describe*
              - cloudFormation:List*
              - codecommit:List*
              - codecommit:Get*
              - codecommit:GitPull
              - codecommit:UploadArchive
              - codecommit:CancelUploadArchive
              - codebuild:BatchGetBuilds
              - codebuild:StartBuild
              - cloudformation:CreateStack
              - cloudformation:DeleteStack
              - cloudformation:DescribeStacks
              - cloudformation:UpdateStack
              - cloudformation:CreateChangeSet
              - cloudformation:DeleteChangeSet
              - cloudformation:DescribeChangeSet
              - cloudformation:ExecuteChangeSet
              - cloudformation:SetStackPolicy
              - cloudformation:ValidateTemplate
              - iam:PassRole
              - s3:ListAllMyBuckets
              - s3:GetBucketLocation
            Resource:
              - "*"
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetBucketPolicy
              - s3:GetObject
              - s3:ListBucket
            Resource:
              - "bucketName"
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Resource:
              - !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access

      Roles:
        - !Ref PipeLineRole

  FrontEndPipeline:
    Type: "AWS::CodePipeline::Pipeline"
    Properties:
      ArtifactStore:
        Type: "S3"
        Location: "bucketName"
      Name: "frontend-deploy"
      RoleArn: !GetAtt PipeLineRole.Arn
      Stages:
        - Name: "Code-Fetch"
          Actions:
            - Name: "stage-source"
              ActionTypeId:
                Category: Source
                Owner: AWS
                Provider: CodeCommit
                Version: 1
              OutputArtifacts:
                - Name: SourceCode
              Configuration:
                PollForSourceChanges: true
                BranchName: develop
                RepositoryName: "nameHere"
              RunOrder: 1
              RoleArn: !Sub arn:aws:iam::${DevAccount}:role/crossaccount-codecommit-access

        - Name: Build
          Actions:
            - Name: "Build-Source"
              ActionTypeId:
                Category: Build
                Owner: AWS
                Version: "1"
                Provider: CodeBuild
              InputArtifacts:
                - Name: SourceCode
              OutputArtifacts:
                - Name: DeployOutput
              Configuration:
                ProjectName: "CodeBuild"
              RunOrder: 1
        - Name: Deploy
          Actions:
            - Name: deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: "1"
                Provider: S3
              InputArtifacts:
                - Name: DeployOutput
              Configuration:
                BucketName: "bucketNameHere"
                Extract: true
                #RoleArn: !Sub arn:aws:iam::${TestAccount}:role/cloudformationdeployer-role

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: "CodeBuild"
      ServiceRole: !GetAtt BuildProjectRole.Arn
      Artifacts:
        Type: CODEPIPELINE
      Environment:
        ComputeType: BUILD_GENERAL1_SMALL
        Type: LINUX_CONTAINER
        Image: node:13
      Source:
        Type: CODEPIPELINE

Что может генерировать эта ошибка:

arn:aws:iam::{ToolsAccount}:role/projectName-codepipeline-role is not authorized to perform AssumeRole on role arn:aws:iam::{DevAcciybt}:role/access-codecommit-in-dev (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: (ID here))

Answer 1

Имеет ли роль arn: aws: iam :: {ToolsAccount}: role / projectName-codepipeline-role разрешение на принятие роли в учетной записи разработчика, как показано ниже:

{"Sid": "AssumeCrossAccountRole" "Effect": "Allow", "Actions": "sts: AssumeRole", "Resource": "ARN роли учетной записи разработчика"}

else Попробуйте выполнить передачу ARN arn: aws : iam :: {ToolsAccount}: role / projectName-codepipeline-role в субъекте AWS вместо номера учетной записи для роли, которую вы создаете в учетной записи dev