Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Configure AWS Cross-account using SSM Command

0

I have a script that is running in account A that updates the application in Beanstalk. I want to run the same script from account A to update the Beanstalk application in account B using SSM or any other tool that could accomplish this task.

I need to know what SSM command to invoke for the cross-account in the script below:

#!/bin/bash

for i in ${eb_env_vars[@]}
do
    if [[ $i == *"parameter_store_path"* ]]; then
        parameter_store_path=$(echo $i | grep -Po "([^\=]*$)")
    fi
done

Your help would be greatly appreciated!

Argomenti
ComputazionaliGestione e amministrazioneDevOps
Tag
AWS Elastic BeanstalkGestore dei sistemi AWSDevOpsGestore account AWS
Lingua
English
Sam
posta un anno fa270 visualizzazioni
1 Risposta
0

To use SSM to update a Beanstalk application in another account, you will need to use the aws ssm send-command command. The basic format of the command is:

Copy code aws ssm send-command
--document-name "AWS-RunShellScript"
--parameters commands="command-to-run"
--target "Key=instanceids,Values=instance-id"
--region "region"
--profile "profile-name" You'll need to replace command-to-run with the command you want to run on the Beanstalk instance. The --target option can be used to specify the ID of the Beanstalk instance.

To run this command across multiple accounts, you can use AWS Organizations to create a service control policy (SCP) to allow access to SSM across accounts.

To do this, you'll need to create an IAM role in account B with permissions to access Beanstalk, and then assume that role in account A using the sts:AssumeRole action.

You can then use the --role-arn option in the aws ssm send-command command to specify the IAM role in account B.

Here's an example of how you might use the aws ssm send-command command to update a Beanstalk application in another account:

Copy code aws ssm send-command
--document-name "AWS-RunShellScript"
--parameters commands="eb deploy --environment my-environment"
--target "Key=instanceids,Values=instance-id"
--region "us-east-1"
--profile "profile-name"
--role-arn "arn:aws:iam::account-B-id:role/beanstalk-role" Note that you'll need to replace instance-id with the ID of the Beanstalk instance, my-environment with the name of the Beanstalk environment, us-east-1 with the region where the Beanstalk environment is located, profile-name with the name of the profile in account A, and arn:aws:iam::account-B-id:role/beanstalk-role with the ARN of the IAM role in account B.

Make sure that you have the necessary permissions to assume the role in account B and that the role has the necessary permissions to access the Beanstalk application.

It's always a good idea to test these commands in a non-production environment before running them in production.

profile picture
Ahmad Ul Islam
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente