为什么CodePipline需要KMS密钥?
我制作了codepipeline将源代码从codeCommit构建ecr by cdk
在部署此CDK代码时,以某种方式以某种方式像This codepipeline-cdkmyNavirepomynavipelinefe7f8d68命名的键
是用kmms客户托管密钥
我不确定为什么要制作的,我不想使用它。
为什么或何处制作键?
const adminPipeline = new codepipeline.Pipeline(this, 'mynaviPipeline', {
pipelineName: 'cdk-mynavi-pl',
});
const mynavi_cc_repo_name = 'cdk-mynavi-cc'
const mynavi_cc_repo = new codecommit.Repository(this,
"mynavi-cc-repo",{
repositoryName: mynavi_cc_repo_name,
description:"for resizer repo"
})
const adminBuildProject = new codebuild.PipelineProject(this, 'adminBuildproject', {
environment: {
buildImage:codebuild.LinuxBuildImage.STANDARD_4_0,
privileged:true,
},
buildSpec: codebuild.BuildSpec.fromSourceFilename("./buildspec.yml")
});
const adminSourceOutput = new codepipeline.Artifact();
const adminSourceAction = new cdk.aws_codepipeline_actions.CodeCommitSourceAction({
actionName: 'AdminSource',
repository: mynavi_cc_repo,
output: adminSourceOutput,
trigger: cdk.aws_codepipeline_actions.CodeCommitTrigger.POLL,
})
const dockerHubSecretArn = 'arn:aws:secretsmanager:ap-northeast-1:678100228231:secret:docker_login-TBFA5B';
const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'SecretFromCompleteArn', dockerHubSecretArn);
dockerHubSecret.grantRead(adminBuildProject)
cronEcrRepo.grantPullPush(adminBuildProject)
djangoEcrRepo.grantPullPush(adminBuildProject)
nginxEcrRepo.grantPullPush(adminBuildProject)
const adminBuildOutput = new codepipeline.Artifact();
const adminBuildAction = new cdk.aws_codepipeline_actions.CodeBuildAction({
actionName: 'AdminCodeBuild',
project: adminBuildProject,
input: adminSourceOutput,
outputs: [adminBuildOutput]
});
adminPipeline.addStage({
stageName: "mynaviSource",
actions: [adminSourceAction],
});
adminPipeline.addStage({
stageName : "mynaviBuild",
actions: [adminBuildAction]
});
I made the CodePipeline to build the source code from CodeCommit to ECR by cdk
When deploying this cdk code, somehow the key named like this
codepipeline-cdkmynavirepomynavipipelinefe7f8d68 is made in KMS customer managed key
I am not sure why this is made, and I don't want to use this.
Why or where this key is made?
const adminPipeline = new codepipeline.Pipeline(this, 'mynaviPipeline', {
pipelineName: 'cdk-mynavi-pl',
});
const mynavi_cc_repo_name = 'cdk-mynavi-cc'
const mynavi_cc_repo = new codecommit.Repository(this,
"mynavi-cc-repo",{
repositoryName: mynavi_cc_repo_name,
description:"for resizer repo"
})
const adminBuildProject = new codebuild.PipelineProject(this, 'adminBuildproject', {
environment: {
buildImage:codebuild.LinuxBuildImage.STANDARD_4_0,
privileged:true,
},
buildSpec: codebuild.BuildSpec.fromSourceFilename("./buildspec.yml")
});
const adminSourceOutput = new codepipeline.Artifact();
const adminSourceAction = new cdk.aws_codepipeline_actions.CodeCommitSourceAction({
actionName: 'AdminSource',
repository: mynavi_cc_repo,
output: adminSourceOutput,
trigger: cdk.aws_codepipeline_actions.CodeCommitTrigger.POLL,
})
const dockerHubSecretArn = 'arn:aws:secretsmanager:ap-northeast-1:678100228231:secret:docker_login-TBFA5B';
const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'SecretFromCompleteArn', dockerHubSecretArn);
dockerHubSecret.grantRead(adminBuildProject)
cronEcrRepo.grantPullPush(adminBuildProject)
djangoEcrRepo.grantPullPush(adminBuildProject)
nginxEcrRepo.grantPullPush(adminBuildProject)
const adminBuildOutput = new codepipeline.Artifact();
const adminBuildAction = new cdk.aws_codepipeline_actions.CodeBuildAction({
actionName: 'AdminCodeBuild',
project: adminBuildProject,
input: adminSourceOutput,
outputs: [adminBuildOutput]
});
adminPipeline.addStage({
stageName: "mynaviSource",
actions: [adminSourceAction],
});
adminPipeline.addStage({
stageName : "mynaviBuild",
actions: [adminBuildAction]
});
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
它与REST 时的加密有关。
加密
codepiplinetrifacts 默认启用。您不能禁用加密,但是您可以选择如何加密工件。
好消息是,如果您使用默认选项,则不必管理加密键。
例如,可以在
codepipeline控制台中选择:更多在 AWS Codepipeline中的数据保护。
It has to do with encryption at rest.
Encrypting
codepiplineartifacts is enabled by default.You cannot disable the encryption, but you can choose how you encrypt the artifacts.
The good thing is that if you go with the default option, you don't have to manage the encryption keys.
This can be, for example, selected in the
CodePipelineconsole:More on Data Protection in AWS CodePipeline.
OP问为什么 CDK管道默认情况下使用了不需要的KMS 客户托管键,这在接受的答案中未直接解决。我将尝试在这里解决为什么。
由于无法更新或更换AWS托管密钥的策略,因此至少在两种情况下需要客户托管的密钥策略的灵活性:
最少特权安全性: aws托管关键策略允许内部任何原则。相同的说法解密工件。在单个帐户中使用客户托管钥匙以更严格的控制权限是可选的,但它被认为是最佳实践。可以跳过,以避免额外的成本和管理麻烦。但是,人们可能会争辩说,使用最少特权的原则(POLP)对于不利用跨学会部署的困难边界的单个帐户部署更为重要。
交叉计算部署:无法更新或替换以配置跨账户权限。因此,除了最少的特权安全外,需要客户托管密钥(或客户提供的密钥),以启用由于其可自定义的策略而启用任何交叉雅特人工访问。
鉴于这两种情况,CDK团队默认情况下希望配置最佳实践,
CrossAccountkeys:True是管道的默认值也就不足为奇了。但是,对于那些在单个帐户非生产部署中尝试CDK并可能利用自由层的人来说,这些KMS键费用可以开始加起来。我认为这就是为什么CDK现在没有客户托管键的默认存储键的CDK帐户,除非您为其设置CLI标志。OP并没有直接提及它,但是由于op在此评论所述设置
CrossAccountkeys:False解决了问题,这意味着OP在一个帐户中工作。尽管这可能是可以的,例如在沙盒帐户中探索AWS的方便起见,但我建议在事情变得更加认真和更接近生产后,仍然会遇到最小的特权访问权限的麻烦。OP asked why the CDK pipeline used an unwanted KMS customer managed key by default, which isn't directly addressed in the accepted answer. I'll try to address the why here.
Since policies for AWS managed keys cannot be updated or replaced, the flexibility of customer managed key policies is needed in at least two cases:
Least privilege security: AWS managed key policies allow any principle within the same account to decrypt the artifacts. Using a customer managed key to more tightly control permissions within a single account is optional, but it's considered a best practice. It can be skipped in order to avoid the additional cost and management hassle. However, one could argue that it's even more important to use the Principle of Least Privilege (PoLP) for single account deployments that don't leverage the hard boundaries of cross-account deployments.
Cross-Account Deployments: AWS managed key policies cannot be updated or replaced to configure cross-account permissions. So least privilege security aside, customer managed keys (or customer provided keys) are required to enable any cross-account artifact access due to their customizable policies.
Given these two cases and the CDK team presumably wanting to configure best practices by default, it's no surprise that
crossAccountKeys: trueis the default for pipelines. However, for those experimenting with the CDK in single account non-production deployments and likely leveraging the Free Tier, those KMS key charges can start to add up. I think that's why CDK now bootstraps accounts without a customer managed key for the default bucket unless you set a CLI flag for it.OP didn't directly mention it, but since OP in this comment said setting
crossAccountKeys: falsesolved the problem, it implies OP was working in a single account. While this may be ok as a convenience for e.g. exploring AWS in sandbox accounts, I suggest still going to the trouble of using customer managed keys towards least privilege access once things get more serious and closer to production.