Cross Account CodePipeline — That Use CodeCommit from Another AWS Account
In this article, we are talking about how to create CodePipeline that access CodeCommit Repository from another account.
Most organizations create multiple AWS accounts for different application environments because they provide the highest level of resource and security isolation.
Every application needs to have environments. The main three environments are testing stability and production. In a centralized way, we have a single repository with multiple branches and our application environments are divided as multiple AWS child accounts. Now the problem is how can we automated all environment deployment so that DevOps engineer use cross-account authentication.
cross-account authentication possible through deep knowledge of IAM service.
Cross-account actions are not supported for the following action types:
- Jenkins build actions
For this exercise, we are using
Account P: The account with our CodePipeline.
Account C: The account with our CodeCommit repository.
Let’s Start with Account P
-> Create an AWS KMS Encryption Key
Customer-managed keys are specific to a region, as are all AWS KMS keys. You must create your customer-managed AWS KMS key in the same region where the pipeline was created.
- Open the AWS KMS console and On the left, choose Customer managed keys.
- Choose to Create key. In the Configure key, leave the Symmetric default selected and choose Next.
3. In Alias, type an alias to use for this key (for example, cross-account-key). Optionally, provide a description and tags for this key, and then choose Next
4. In Define Key Administrative Permissions, choose your IAM user and any other users or groups you want to act as administrators for this key, and then choose Next.
5. In Define Key Usage Permissions, under This Account, select the name of the service role for the pipeline (for example, AWS-CodePipeline-Service). Other AWS accounts, choose to add another AWS account. Type the account ID Account C to complete the ARN, and then choose Next.
6. Review and edit a key policy, review the policy, and then choose Finish.
-> Create S3 Bucket and add Account C access.
Create an S3 bucket for Pipeline to store Artifacts and add the following bucket policy.
- Permissions >Bucket Policy > Add the following code and replace the values.
{
"Version": "2012-10-17",
"Id": "Policy1591079668806",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_C_ID:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTC_C_ID:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}-> Create CodePlipeline Service Role and policy to access CodeCommit from another account.:
If you don't have a CodePipeline role please refer to this link.
Add a policy to your CodePipeline service role so you can get access to Account C and the CodeCommit repositories:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNTC_C_ID:role/*"
]
}
}Now, We added all configurations in Account P to Access resources from another AWS account.
Let’s Create all necessary resources in Account C
-> Let’s Create IAM Policy for cross-account access.
- Open the AWS IAM console and On the left, choose Policies > Create Policy.
- Select Json and add the following code.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:PutObjectAcl",
"codecommit:ListBranches",
"codecommit:ListRepositories"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME_IN_ACCOUNTP_FOR_CODE_PIPELINE/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:YOUR_KMS_ARN_ACCOUNT_P"
]
}
]
}3. Add Proper name and choose Create Policy.
-> let's Create an IAM Role for cross-account access.
- Open the AWS IAM console and On the left, choose Role > Create Role.
- Select Another AWS Account.
- Enter Account ID of Account P and choose Next: Permissions.
4. Search and select AWSCodeCommitFullAccess as well as our Create policy in the above step and choose Next: Tags.
5. If you want to add appropriate tags and choose Next: Review.
6. Enter the proper Name and Description and choose to Create a role.
Now, we are ready to create our cross Account Pipeline 🎊 🎉🤖🎊 🎉.
Use the following code and create *.json file.
{
"pipeline": {
"roleArn": "arn:aws:iam::<CODEPILEPINE_SERVICE_ROLE_ARN>",
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::<ACCOUNT_C_ROLE_ARN>",
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "<CODECOMMIT_REPO_NAME>"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": []
}
]
},
{
"name": "Build",
"actions": [
{
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"name": "Build",
"region": "<AWS REGION>",
"namespace": "BuildVariables",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"version": "1",
"provider": "CodeBuild"
},
"outputArtifacts": [
{
"name": "BuildArtifact"
}
],
"configuration": {
"ProjectName": "<CODEBUILD_PROJECT_NAME>"
},
"runOrder": 1
}
]
}
],
"artifactStore": {
"type": "S3",
"location": "<S3_BUCKET_NAME>",
"encryptionKey": {
"id": "arn:aws:kms:<KMS_KEY_ARN>",
"type": "KMS"
}
},
"name": "<PIPELINE_NAME>",
"version": 1
}
}You can’t do this bit in the console so you have to use the AWS CLI.
Goto terminal and run the following command.
aws codepipeline create-pipeline --cli-input-json file://<File_PATH>.json --profile <AWS_USER_PROFILE> --region <AWS_REGION>It will Create our Cross AWS Account Pipeline and access CodeCommit from another AWS Account 🎊 🎉🤖🎊 🎉.
Thank you for reading, if you have anything to add please send a response or add a note!
