我正在尝试设置一个CDK Codepipeline,以更新CDK项目本身,该项目在一个堆栈下,并且在构造函数中有多个嵌套堆栈。该管道位于第二个堆栈中,服务堆栈传递以访问名称。我正在使用在我运行CDK合成器并使用CodeBuild将输出放入工件中后更新堆栈。
pipeline.addStage({
stageName: 'ServiceUpdate',
actions: [
new CloudFormationCreateUpdateStackAction({
actionName: 'Service_Update',
stackName: props.serviceStack.stackName,
templatePath: cdkPipelineBuildOutput.atPath(
`${props.serviceStack.stackName}.template.json`
),
adminPermissions: true,
}),
],
});
如果堆栈为空,则可以更新堆栈,或者直接有一些资源,但是,如果服务堆栈内有嵌套堆栈,我会得到
S3:访问
堆栈内部的每个嵌套堆栈都可以使用。
如果我使用admin凭据从终端运行“ CDK Deploy示例”,则可以正确创建/更新嵌套的堆栈,这使我相信CodeBuild或CodePipeline的IAM角色有些不对劲。但是我不知道从哪里开始,因为我将管理员设置为cloudformationCreateupDateStackAction中的true。
我还通过在CloudFormationCreateUpDateStactAction和CodePipeline上调用AddTodePloymentRolepolicy来手动设置Admin权限,并通过
const policy = new PolicyStatement({
resources: ['*'],
actions: ['*'],
effect: Effect.ALLOW,
});
访问拒绝的错误没有任何更改。
我还确保在CI脚本中指定“ CDK合成器 - all”,以确保将合成嵌套的堆栈模板。
我读过的其他堆栈溢出问题:
s3错误:访问在用嵌套堆栈部署CFN模板时拒绝
此Q与手动编写的云形成模板中的错字有关。我已经查看了生成的模板,并且CDK正确生成并引用了嵌套的堆栈名称。从本地终端部署的CDK也有效,进一步使我相信没有错字问题。我还将服务堆栈作为道具传递,并调用stackName属性,以避免访问模板的错字。
如果您发现一种方法可能会因错别字而遇到问题,请告诉我,因为那仍然是最好的情况。
codepipeline s3 bucket访问codebuild in Codebuild
这是Q 这是通过解决的允许S3存储桶上的CMK许可。我已经使用了代码管道用于“ CDK合成器 - 云形式模板”的来源。我不知道此设置中使用的任何KMS CMK。如果有一种方法,我可以在工件上指定解密能力,这可能会有所帮助。
如果有一种方法可以获取有关S3:访问拒绝状态的更多详细错误消息,这也将不胜感激。它甚至没有共享S3桶被拒绝,我只需要假设。
感谢您的建议。
I am trying to set up a CDK Codepipeline for updating the cdk project itself, with the project being under one stack, and having multiple nested stacks in the constructor. The pipeline is in a second stack with the service stack passed in to access the name. I am using CloudFormationCreateUpdateStackAction to update the stack after I have run cdk synth and put the output in an artifact using codebuild.
pipeline.addStage({
stageName: 'ServiceUpdate',
actions: [
new CloudFormationCreateUpdateStackAction({
actionName: 'Service_Update',
stackName: props.serviceStack.stackName,
templatePath: cdkPipelineBuildOutput.atPath(
`${props.serviceStack.stackName}.template.json`
),
adminPermissions: true,
}),
],
});
This is able to update the stack if it is empty, or has some resources directly in it, however if there is a nested stack inside the service stack I get
S3: AccessDenied
for each of the nested stacks inside of the stack.
If I run "cdk deploy ExampleServiceStackName" from my terminal with admin credentials the nested stacks are created/updated correctly, leading me to believe that there is something wrong with the IAM roles of codebuild or codepipeline here. But I don't know where to start as I have set adminPermissions to true in the CloudFormationCreateUpdateStackAction.
I also manually set admin permissions by calling addToDeploymentRolePolicy on the CloudFormationCreateUpdateStackAction, and CodePipeline, passing
const policy = new PolicyStatement({
resources: ['*'],
actions: ['*'],
effect: Effect.ALLOW,
});
with no change in the access denied error.
I also make sure to specify "cdk synth --all" in my ci script in an attempt to ensure the nested stacks templates will be synthesized.
Other stack overflow questions I have read:
S3 error: Access Denied when deploying CFN template with Nested Stacks
This Q was related to a typo in the manually written cloud formation template. I have looked in the generated templates, and the nested stack name is correctly generated and referenced by cdk. cdk deploy from local terminal also works, further leading me to believe there is no typo problem. I also pass the service stack as a prop and call the stackName property to avoid a typo in accessing the template.
If you spot a way there could be a problem accessing due to a typo, please let me know as that would still be the best-case scenario.
Codepipeline S3 Bucket access denied in Codebuild
This Q says it was solved by giving permissions to the CMK on the S3 bucket. I have used a code pipeline Artifact for source of the "cdk synth -> cloudformation templates". I'm not aware of any KMS CMK being used in this setup. If there is a way I can specify decryption abilities on the artifact maybe that would help.
If there is a way to get more verbose error messages about the s3: Access Denied status that would also be appreciated. It doesn't even share what s3 bucket is being denied, I'm just having to assume.
Thanks for any suggestions.
发布评论
评论(1)
嘿,我遇到了同样的问题,并弄清楚了这个问题(如果您或任何人仍在遇到)。
基本上,当您使用嵌套堆栈进行
CDK合成器
时,一旦其合成后的父堆栈将引用包含子堆栈的S3对象(通常在CDK-Assets桶中)。但是,至少在管道中,这些资产永远不会上传到S3。这意味着,当管道运行时,它会获得
s3:accessDenied
错误,因为孩子堆叠了父堆栈引用中的CDK-Assets桶中不存在。我解决这个问题的方法是更改我的方法,而不是使用CloudFormationCreateupDateStackAction,而是使用执行CLI命令的CodeBuild步骤来部署CDK。
Hey I had this same issue and figured out the issue (if you or anyone is still having it).
Basically, when you do a
cdk synth
with nested stacks, the parent stack, once its synthesized, will have references to S3 objects (usually within the cdk-assets bucket) that contain the child stacks. The problem however, at least with the pipeline is these assets are never uploaded to S3.This means when the pipeline runs, it gets an
s3:AccessDenied
error because the child stacks the parent stack references do not exist in that cdk-assets bucket.The way I got around this is to change my approach and instead of using the CloudFormationCreateUpdateStackAction, I instead use a CodeBuild step that executes CLI commands to deploy the cdk.