I have my codebuild build sitting on Account A and s3 buckets on Account B. I tried to set up a trusted IAM STS role on Account B and policy on Account A to include the Account B IAM role, attached this policy to my codebuild service role. But still, my codebuild shows buckets on s3. Am I doing or configuring something wrong here?
账户 B 上具有信任关系的角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
账户 A 的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account B:role/testcli"
}
]
}
CodeBuild BuildSpec.yml
version: 0.2
env:
variables:
TF_VERSION: "0.12.28"
phases:
install:
commands:
# install required binary
- echo test
pre_build:
commands:
- echo print s3 buckets
- aws s3 ls
post_build:
commands:
- echo test1
假设您的 CodeBuild (CB) 有权sts:AssumeRole
, 在你的buildspec.yml
你必须明确地承担 Acc B 中的角色。
有two ways您可以在其中执行此操作。
-
“手动”调用承担角色 https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html在你的buildspec.yml
。该调用将返回一组临时凭证。然后,获得的凭证可用于从 CB 执行 Acc B 中的 AWS CLI 命令。
-
设置 AWS CLI 凭证文件,如图所示here https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html or here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html在您的 CB 容器中承担角色。
在这两种情况下,CB 服务角色都需要sts:AssumeRole
权限。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)