- 最新
- 投票最多
- 评论最多
Hello!
If all the pipelines are in the same account, then you can re-use the same pipeline role for all of them, no problem!
Matthew
Edit: You can also re-use the artifact bucket as well :)
Edited by: mattsainsaws on Feb 19, 2019 2:44 PM
The security folks would like us NOT to reuse roles and have separation of security for each project. Just wonder is that really what dev shops are doing?
Well, you can create separate roles for each pipeline too, if you prefer. I would recommend using CloudFormation if you have that number of pipelines because it would be quite arduous to create them all manually.
Personally I would create a new role per pipeline that has just enough permissions to do what it needs. Although pipelines tend to have quite broad permissions in general so it's important to make sure only the codepipeline principal can assume them.
I spoke to a colleague who speaks to a lot of CodePipeline customers, and he said that enterprise customers tend to have an automated process for creating pipelines (eg., CloudFormation or some custom tool) and that process creates a separate pipeline role (and sometimes even account) for that pipeline. Hopefully that gives you some ideas on how to create lots of pipelines in a secure way.
