Login
November 2, 2023Overview
In today’s dynamic IT landscape, organizations must maintain secure and isolated AWS environments for distinct application stages, such as development and production. To overcome these challenges, this blog post explores the process of setting up a Cross-Account AWS CodePipeline that connects to an AWS CodeCommit Repository located in a different AWS account. The separation of environments is crucial for resource segregation and heightened security measures. We will explore the steps and best practices to establish this innovative solution and demonstrate how technology can bridge the gap between isolated AWS accounts, facilitating a controlled and secure workflow for AWS resources and applications.
Introduction
In the domain of AWS infrastructure and application development, a fundamental requirement is the creation of distinct and dedicated environments, primarily centered around the development (dev) and production stages. Organizations often establish multiple AWS accounts to maintain the highest resource isolation and security standards, each designated for specific application phases. In this technical exploration, we’ll focus on two AWS accounts: one dedicated to development and the other to production.
The AWS CodePipeline will be created in the dev account, while the AWS CodeCommit repository is in the production account.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Step-by-Step Guide
- First, we must create Customer-managed keys in an AWS KMS service in the dev account.Customer-managed keys are beneficial when we want to grant cross-account access, where we will be configuring the policy of a customer-managed key to allow access from another account.
- Choose Customer managed keys in the AWS KMS console.
- Click on Create key, choose Symmetric under key type, and Encrypt and Decrypt under key usage.
- Choose key AWS KMS under key material origin and Single-Region under Regionality.
- Then click on Next.
- Enter an alias and description, and click on Next.
- In Define Key Administrative Permissions, choose AWS IAM user or any other users/groups who want to act as administrator for the key, and choose Next.
- In Define Key Usage Permissions, select the service role used for the Pipeline, build, and deploy.
- Click on Add another AWS account, type the production account ID (account with a codecommit repository), and choose Next.
- Now, we need to create an Amazon S3 bucket and provide access to the production account (account that has a codecommit repository) access to it.
- We need to Create an Amazon S3 bucket for Pipeline to store Artifacts.
- Under permission, add the following Bucket policy in the Amazon S3 bucket.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
{ "Version": "2012-10-17", "Id": "Policy1591079668806", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::PRODUCTION_ACCOUNT_ID:root" }, "Action": [ "s3:Get*", "s3:Put*" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::PRODUCTION_ACCOUNT_ID:root" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" } ] } |
3. Add the following policy to the AWS CodePipeline service role in the dev account (where codepipeline will be created) to access the production account and the AWS CodeCommit repositories.
|
1 2 3 4 5 6 7 8 9 10 |
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::PRODUCTION_ACCOUNT_ID:role/*" ] } } |
- Now, we need to create a policy and role in the production account (where codecommit repository resides)
- Go to the AWS IAM console, choose Policy, and click Create Policy.
- Select JSON, add the following code, and replace the resources arn.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:PutObject", "s3:PutObjectAcl", "codecommit:ListBranches", "codecommit:ListRepositories" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME_IN_DEV_ACCOUNT_FOR_CODE_PIPELINE/*" ] }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:YOUR_KMS_ARN_DEV_ACCOUNT" ] } ] } |
- Enter a name and click on Create policy.
- We need to create an AWS IAM role for cross-account access
- Choose Role in the AWS IAM console and click on the Create role
- Under the selected Trusted entity type, choose AWS account.
- Choose Another AWS account under an AWS account, enter the account ID of the dev account (codepipeline account), and click next.
- Search for AWSCodeCommitFullAccess and add the above policy created in the above step.
- Add the proper name to the role and click on Create a role.
- We can do the cross-account creation of the Pipeline in CLI
- To create a pipeline, we need to write a JSON file
example: pipeline.json
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
{ "pipeline": { "roleArn": "arn:aws:iam::2 <CODEPILEPINE_SERVICE_ROLE_ARN> ", "stages": [ { "name": "Source", "actions": [ { "name": "Source", "actionTypeId": { "category": "Source", "owner": "AWS", "provider": "CodeCommit", "version": "1" }, "runOrder": 1, "roleArn": "arn:aws:iam::<PRODUCTION_ACCOUNT_ROLE_ARN> ", "configuration": { "BranchName": "<BRANCH>", "PollForSourceChanges": "false", "RepositoryName": "<CODECOMMIT_REPO_NAME> " }, "outputArtifacts": [ { "name": "SourceArtifact" } ], "inputArtifacts": [] } ] }, { "name": "Build", "actions": [ { "inputArtifacts": [ { "name": "SourceArtifact" } ], "name": "Build", "region": "<REGION>", "namespace": "BuildVariables", "actionTypeId": { "category": "Build", "owner": "AWS", "version": "1", "provider": "CodeBuild" }, "outputArtifacts": [ { "name": "BuildArtifact" } ], "configuration": { "ProjectName": "<CODEBUILD_PROJECT_NAME> " }, "runOrder": 1 } ] }, { "name": "Deploy", "actions": [ { "name": "Deploy", "actionTypeId": { "category": "Deploy", "owner": "AWS", "provider": "CodeDeploy", "version": "1" }, "runOrder": 1, "configuration": { "ApplicationName": "CODEDEPLOY_APPLICATION_NAME", "DeploymentGroupName": " CODEDEPLOY_DEPLOYMENT_GROUP_NAME" }, "inputArtifacts": [ { "name": "BuildArtifact" } ] } ] } ], "artifactStore": { "type": "S3", "location": "<S3_BUCKET_NAME> ", "encryptionKey": { "id": "arn:aws:kms:<KMS_KEY_ARN> ", "type": "KMS" } }, "name": "<PIPELINE_NAME> ", "version": 1 } } |
- Run the below command to create the pipeline
|
1 |
aws codepipeline create-pipeline --cli-input-json file://<File_PATH>.json --profile <AWS_USER_PROFILE> --region <AWS_REGION> |
- If the pipeline fails in the build stage:
- Go to the AWS CodePipeline console and click on Edit
- Click on Edit Stage
- Again, Click on Edit
- Under the project name, click on Create Project and create a new project.
- After creation, change the BUILD_PROJECT_NAME in the .json file and run the command again for the pipeline to create.
Conclusion
By following these steps and best practices, we can efficiently set up a Cross-Account AWS CodePipeline, promoting a secure and well-organized workflow for AWS resources and applications. This approach ensures that the development and production environments remain isolated, contributing to a robust and controlled AWS architecture.
Drop a query if you have any questions regarding Cross-Account AWS CodePipeline and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. What is the purpose of customer-managed keys in AWS KMS for Cross-Account access?
ANS: – Customer-managed keys in AWS Key Management Service (KMS) control access to encrypted resources across accounts. In the context of Cross-Account access, they play a vital role in securing data and ensuring that sensitive information remains protected even when accessed from different AWS accounts.
2. What are the key benefits of using AWS CodePipeline compared to other CI/CD tools?
ANS: – AWS CodePipeline offers several benefits, including its seamless integration with various AWS services, centralized management, scalability, and the ability to create custom pipelines. It also supports multi-account and cross-region deployments, making it a powerful choice for AWS-centric workflows.
WRITTEN BY Abhilasha D
Abhilasha D is a Research Associate-DevOps at CloudThat. She is focused on gaining knowledge of Cloud environment and DevOps tools. She has keen interest in learning and researching on emerging technologies.
PREV
Comments