问题描述
我从管理层运行我的管道,它将资源部署到 eu-west-2 和 us-east-1 区域的 dev 中。因此,在我的管理帐户中,我有 2 个人工制品商店,1 个用于 eu-west-2,一个用于 us-east-1。
由于某种原因,在部署时出现此错误。
复制失败 复制工件“项目源”失败:将工件从 eu-west-2 中的 bucketA 复制到 us-east-1 中的 BucketB 失败:提供的 KMS ARN 无效:“无效 arn s3”。
我已经三重检查了我用于 pipeline_artefact_kms_key 的 arn,这似乎是正确的。
下面是我的一些代码片段。
Resources:
CodePipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: "somepipeline"
ArtifactStores:
- Region: eu-west-2
ArtifactStore:
EncryptionKey:
Type: KMS
Id: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/artefact_encryption_key/arn:1}}"
Location: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/build_bucket/name:1}}"
Type: S3
- Region: us-east-1
ArtifactStore:
EncryptionKey:
Type: KMS
Id: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/mgmt/us-east-1/pipeline_artefact_kms_key/arn:1}}"
Location: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/mgmt/us-east-1/build_bucket/name:1}}"
Type: S3
RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/mgmt:1}}"
Stages:
- Name: GetSource
Actions:
- Name: FetchProjectPipelineCode
ActionTypeId:
Category: Source
Owner: ThirdParty
Version: 1
Provider: GitHub
Configuration:
Owner: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/organisation:1}}"
Repo: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/repository:1}}"
PollForSourceChanges: 'false'
Branch:
Ref: BranchToBuild
OAuthToken: !Sub "{{resolve:secretsmanager:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/oauth_token:SecretString:token}}"
OutputArtifacts:
- Name: project-source
Runorder: 1
- Name: DeployAuthLambdasToDev
Actions:
- Name: DeployLambdas-dev
RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/dev:1}}"
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: CloudFormation
InputArtifacts:
- Name: project-source
OutputArtifacts:
- Name: lambdas_outputs_dev
Configuration:
ActionMode: REPLACE_ON_FAILURE
Capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/dev:1}}"
StackName: !Sub "${UniqueId}-AuthLambdas"
TemplatePath: project-source::aws/pipeline/us-east-1/dev/lambdas.cf.yaml
TemplateConfiguration: project-source::aws/pipeline/service_config.json
OutputFileName: stack_outputs.json
Region: us-east-1
Runorder: 1
解决方法
更新:
我设法解决了这个问题,这与 ARN 有关。由于某种原因,SSM 没有正确解决它。我不知道为什么我检查 SSM 时非常注意包括版本号在内的细节!