-
Notifications
You must be signed in to change notification settings - Fork 997
Is it possible to use this architecture to deploy to ECS in another account? #46
Comments
You can. You just have to add a cross-account role as the RoleArn for the Actions like you do for Lambda, and the pipeline role needs permissions to assume that role. |
@joehillen Thank you for the answer! - Name: Deploy
Actions:
- Name: Deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: ECS
Configuration:
ClusterName: !Ref Cluster
ServiceName: !Ref Service
FileName: images.json
InputArtifacts:
- Name: BuildOutput
RunOrder: 1
RoleArn: [ROLE ARN] On ClusterName and ServiceName I put the ARN, right? Since it is in another account. |
No, you can use the simple names for the |
Okay, I will try and I will give feedback here which one works. Thanks! |
Sorry for asking one more question, but I think I'm stuck on the deploy stage. I did exactly what I said above, I added the RoleArn on the deploy stage as illustrated below: - Name: Deploy
Actions:
- Name: Deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: ECS
Configuration:
ClusterName: !Ref Cluster
ServiceName: !Ref Service
FileName: images.json
InputArtifacts:
- Name: BuildOutput
RunOrder: 1
RoleArn: !Sub arn:aws:iam::${DevAccount}:role/toolsAccountRole The pipeline goes just fine until the deploy stage where it gives this error: I think it is referring to the role the pipeline assumed describe in the snippet above, but I'm sure it has all the permissions required to access the bucket. I gave full access to S3 on the policy itself, I gave full access to this role on the Bucket Policy as well and I gave permission to the role to use the KMS key the pipeline is using to encrypt and decrypt the artifacts. Am I missing something? Thanks again for the help! |
I was able to make it work after deleting the role I was using above and redoing it with CloudFormation (have done the previous one with the visual editor). I don't know what was the difference exactly, but it worked. Very strange... Anyway, thank you for the help so far! |
May I know something detail how it worked |
i also have a problem, like ''The cluster xxx does not exist', any idea? thanks it seems like it doesn't assume that role correctly ??? |
I have same issue. I get "The AWS ECS cluster ****** does not exist." even though my pipeline role has enough permissions. Any one who can provide a working sample? |
I had to delete the action (temporarily remove from cloudformation/cdk) and then add it back in order to work around the "cluster does not exist" issue so it would respect the account/region props I added late. Still stuck on the permission issue mentioned here. |
I would like to use a similar architecture to deploy my application to ECS in another account, that way I would have the source (in my case, CodeCommit) and CodeBuild project in one account and the deployment on an ECS in another account. I found something similar in this article, but it uses CloudFormation to deploy to Lambda and since things can vary greatly from service to service, I decided to ask your opinions. Is it can be done with CodePipeline integration with ECS? If not, CloudFormation should work, right?
Thanks in advance for the help!
The text was updated successfully, but these errors were encountered: