Skip to content
This repository has been archived by the owner on Jul 16, 2024. It is now read-only.

Is it possible to use this architecture to deploy to ECS in another account? #46

Open
Leoat12 opened this issue Jul 25, 2018 · 10 comments

Comments

@Leoat12
Copy link

Leoat12 commented Jul 25, 2018

I would like to use a similar architecture to deploy my application to ECS in another account, that way I would have the source (in my case, CodeCommit) and CodeBuild project in one account and the deployment on an ECS in another account. I found something similar in this article, but it uses CloudFormation to deploy to Lambda and since things can vary greatly from service to service, I decided to ask your opinions. Is it can be done with CodePipeline integration with ECS? If not, CloudFormation should work, right?
Thanks in advance for the help!

@joehillen
Copy link

You can. You just have to add a cross-account role as the RoleArn for the Actions like you do for Lambda, and the pipeline role needs permissions to assume that role.

@Leoat12
Copy link
Author

Leoat12 commented Jul 26, 2018

@joehillen Thank you for the answer!
You mean here, right? Like in this snippet.

- Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: 1
                Provider: ECS
              Configuration:
                ClusterName: !Ref Cluster
                ServiceName: !Ref Service
                FileName: images.json
              InputArtifacts:
                - Name: BuildOutput
              RunOrder: 1
              RoleArn: [ROLE ARN]

On ClusterName and ServiceName I put the ARN, right? Since it is in another account.

@joehillen
Copy link

joehillen commented Jul 26, 2018

No, you can use the simple names for the ClusterName and ServiceName. I don't know if the ARNs will work, it's worth a shot.

@Leoat12
Copy link
Author

Leoat12 commented Jul 26, 2018

Okay, I will try and I will give feedback here which one works. Thanks!

@Leoat12
Copy link
Author

Leoat12 commented Jul 29, 2018

Sorry for asking one more question, but I think I'm stuck on the deploy stage. I did exactly what I said above, I added the RoleArn on the deploy stage as illustrated below:

- Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: 1
                Provider: ECS
              Configuration:
                ClusterName: !Ref Cluster
                ServiceName: !Ref Service
                FileName: images.json
              InputArtifacts:
                - Name: BuildOutput
              RunOrder: 1
              RoleArn: !Sub arn:aws:iam::${DevAccount}:role/toolsAccountRole

The pipeline goes just fine until the deploy stage where it gives this error:
Unable to access the artifact with Amazon S3 object key 'XXXX' located in the Amazon S3 artifact bucket 'YYYY'. The provided role does not have sufficient permissions.

I think it is referring to the role the pipeline assumed describe in the snippet above, but I'm sure it has all the permissions required to access the bucket. I gave full access to S3 on the policy itself, I gave full access to this role on the Bucket Policy as well and I gave permission to the role to use the KMS key the pipeline is using to encrypt and decrypt the artifacts. Am I missing something?

Thanks again for the help!

@Leoat12
Copy link
Author

Leoat12 commented Jul 29, 2018

I was able to make it work after deleting the role I was using above and redoing it with CloudFormation (have done the previous one with the visual editor). I don't know what was the difference exactly, but it worked. Very strange... Anyway, thank you for the help so far!

@vinoth-minkasu
Copy link

May I know something detail how it worked

@99887710
Copy link

99887710 commented Nov 17, 2019

i also have a problem, like ''The cluster xxx does not exist', any idea? thanks

it seems like it doesn't assume that role correctly ???

@azarboon
Copy link

azarboon commented Apr 7, 2020

I have same issue. I get "The AWS ECS cluster ****** does not exist." even though my pipeline role has enough permissions. Any one who can provide a working sample?

@stocks29
Copy link

I had to delete the action (temporarily remove from cloudformation/cdk) and then add it back in order to work around the "cluster does not exist" issue so it would respect the account/region props I added late. Still stuck on the permission issue mentioned here.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants