1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
The problem I had occurred when using a CodePipeline to respond to changes in the stack template which is stored in CodeCommit. A couple of stages were CloudFormation stages and the role I'd created for these stages did not have enough permissions. Here's the workflow and fix in more detail:
- We have a CodePipeline which looks for changes to the test/prod environment template which is stored in CodeCommit.
- When changes are made the CodePipeline is triggered and the changes are propagated. The CodePipeline runs with the service role:
AWSCodePipelineServiceRole-Xxxx2019WebAppEnvDeployToProd. - However - there are two stages in the pipeline which create stack change sets - these are CloudFormation stages - and they run with their own role - CustomCloudFormationPowerUser. This role was created manually and includes the PowerUserAccess policy.
- However, the PowerUserAccess policy does not allow for the creation of auto scaling groups which use Launch Templates.
- To enable the role to be able to use ASG's and LT's a copy of the AutoScalingServiceRolePolicy policy was made and named CustomAutoScalingServiceRolePolicy - and this copy policy was added to the CustomCloudFormationPowerUser role. (The AutoScalingServiceRolePolicy can not be used directly as it is a service policy).
- This means that when the the pipeline runs and it runs the CloudFormation section it will be able to create the stack and create/update ASG's.
- As a side note the stack will have this role assigned to it after creation/updates.
답변함 5년 전
