We have a Build account(AccountA) that is hosting all the AWS codepipelines(with source and Build current), planning to use codeDeploy for ECS deployment(ECS cluster is on Account B), I'm not sure whether to create CodeDeploy deployment group in Account A or Account B? How do we do this?
Yes, the CodeDeploy should be in Account B.
The cross-account setup requires a bit of exercise and it can't be fully done in AWS Console. The most important and probably the most confusing part is setting up all the cross-account IAM roles that are required for that.
Below are some AWS resources that should help with this task:
Deploy an application in a different AWS account
Building a Secure Cross-Account Continuous Delivery Pipeline
Create a pipeline in CodePipeline that uses resources from another AWS account
Related
I am trying to deploy an ECR container to ECS Fargate in a cross account.
There are 2 account
Tooling Account
Development Account
The Tooling Account is where AWS CodePipeline builds the images and stores the images in ECR.
The Devlopment Account is where ECS runs the image in Fargate
I have the AWS CodePipeline building the image and storing it in ECR on the Tooling Account.
Now I cannot find any documentation anywhere on how I go about deploying the image in the Development Account.
I have thought of a few options;
Create a AWS CodeDeploy in the Tooling Account and deploy the image to Fargate in the Devlopment Account. issues - I don't know how AWS CodeDeploy in the Tooling Account can trigger the deployment in another account.
Create a AWS CodeDeploy in the Devlopment Account which can deploy to Fargate. issues - I don't know how to trigger the AWS CodeDeploy in the Development Account from the Tooling Account.
There is lots of documentation out there on how to run containers on EC2 or Lambda, but not Fargate and especially cross-account Fargate deployment.
I would like to run this all from CloudFormation, but I could build that once I have gotten this working via the console first.
What is the best solution for this achieving this?
I am having some trouble doing code deploy with my AWS Educate account. Initially, when I was setting things up I was following this article.
https://hackernoon.com/deploy-to-ec2-with-aws-codedeploy-from-bitbucket-pipelines-4f403e96d50c?fbclid=IwAR3rezVMGpuQxTJ3AneOeTL2oMHjCKbQB5C5ouTLhJQ5gRp3JeL4GK0f53o
In it is talks about setting up an IAM service account. The problem is that AWS Educate allows you to create the accounts but it won't generate keys. In order for me to deploy my Spring Boot (and VueJS) apps to my s3 buckets and ec2s from my bitbucket repo, I need a key and secret key and CodeDeploy Group.
Fine I was able to use my Click the Account Details button on the labs.vocareum page and get my keys, however when I am attempting to set up a Code Deploy Group it asks for a service role and I am unsure where to get this?
Why is the service role necessary?
The service role is used by the CodeDeploy service in order to perform actions outside CodeDeploy (i.e. on another service such as S3).
AWS has a special approach of integrating services. Basically, you have to give each service you are using explicit permission to use another service (even if the access stays in the bounds of the same account). There is no inherent permission given to the CodeDeploy service to change things in S3. In fact, CodeDeploy is not even allowed to read files from S3 without explicitly allowing it.
Here is the official explanation from the docs [1]:
In AWS, service roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which AWS resources the service can access and what it can do with those resources.
What you are actually doing according to the hackernoon article
you need a user account with programmatic access to your aws account
the user account needs to have a policy attached which grants permission to upload files into S3 and trigger a CodeDeploy deployment --> you provide the access key and secret access key of this user to Bitbucket so it can upload the stuff into S3 and trigger a deployment on bahalf of your user identity
Unrelated to steps 1 and 2: Create a role in AWS IAM [2] which will be used by both services (NOT Bitbucket): CodeDeploy and EC2. Strictly speaking, the author of the hackernoon article is merging two steps into one here: You are creating one role which is used by both services (as specified by the two different principals in the trust relationship: ec2.amazonaws.com and codedeploy.us-west-2.amazonaws.com). Usually this is not how IAM policies should be configured because it violates the principle of granting least privilege [4] as the EC2 instances receives permissions from the AWSCodeDeployRole policy which it probably does not need as far as I see. But that is just a philosophical note here. All the steps mentioned in the hackernoon article should technically work.
So, what you actually do is:
granting CodeDeploy permission to perform various actions inside your account, such as viewing which EC2 instances you have started etc. (this is specified inside the policy AWSCodeDeployRole [3])
granting EC2 permission to read the revision which was uploaded to S3 (this is specified inside the policy AmazonS3FullAccess)
To get back to your question...
However when I am attempting to set up a Code Deploy Group it asks for a service role and I am unsure where to get this?
You need to create the service role by yourself inside the IAM service (see [2]). I do not know if this is supported by AWS Educate, but I guess it should be. After creating the service role, you MUST assign it to the CodeDeploy Group (that is the point where you are stuck right now). Moreover, you must assign that same service role to you EC2 instance profile.
References
[1] https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console
[3] https://github.com/SummitRoute/aws_managed_policies/blob/master/policies/AWSCodeDeployRole
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
I have setup an IAM OIDC provider in my EKS cluster, and have used it to manually assign IAM roles to Kubernetes Pods.
For the pipeline for my Kubernetes pod however, I want to have it automatically create and update the IAM role for the pod as part of the normal application pipeline. This makes it easy to update the IAM permissions as your application needs to interact with more services over time.
Does anyone know of a way to create an IAM role with a service operator and associate with a pod in a manifest file? I've searched all day and it doesn't look like it can be done.
The only alternative I can think of is creating the IAM role in a different pipeline/workflow, which would work but would make updating the IAM role with new permissions frustrating, as you would have to coordinate the ordering of deployment between the two pipelines.
We have two AWS account say as Dev and Prod. In Dev account,our code build,code-pipelines and Code-deploy services is configured with S3. However, In Prod account an auto-scaling group is running for the production websites.
As per our requirement, We want to deploy the code from dev account to Prod account with cross-account deployment. Basically, The code-build and code-pipelines will execute the code and by using code-deployment it will deploy in the Prod account's Auto-scaling group.
Can someone give us some insight about to achieve the same.
Thanks
CodePipeline supports cross-account actions, however it's not currently configurable via the console and requires some extra roles to be configured.
Here's a guide on how to make it work: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
As of today, CodeDeploy doesn't support cross-account deployments. Depending on what your goal is, you might be able to achieve it another way.
I want to deploy a bundle in one account to another account
If your S3 bucket allows access to the second account, CodeDeploy doesn't care what account your bundle is in as long as everything can access it. Per #TimB, it looks like CodePipelines can support that behavior.
I need to initiate a deployment in one account to another
If you have a reason why the deployment must be in one account to another, you could set up the instances in the second account to be on-premise instances, though this is not a great solution.
I built a serverless app on an AWS account (S3, API Gateway, Lambda, DynamoDB, IAM). I need to deploy this on another AWS account that is part of the same AWS organization. Is there a CLI/CloudFormer solution where I can select existing AWS resources and replicate them on different AWS account.
You can use CloudFormation stacks sets: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html But the resources need to be maintained by CloudFormation also in first account.