尝试跨区域部署时出现 AWS 代码管道错误

问题描述

我有一个 AWS 管理帐户和开发帐户。

我从管理层运行我的管道，它将资源部署到 eu-west-2 和 us-east-1 区域的 dev 中。因此，在我的管理帐户中，我有 2 个人工制品商店，1 个用于 eu-west-2，一个用于 us-east-1。

由于某种原因，在部署时出现此错误。

复制失败复制工件“项目源”失败：将工件从 eu-west-2 中的 bucketA 复制到 us-east-1 中的 BucketB 失败：提供的 KMS ARN 无效：“无效 arn s3”。

我已经三重检查了我用于 pipeline_artefact_kms_key 的 arn，这似乎是正确的。

下面是我的一些代码片段。

Resources:
  CodePipeline:
    Type: AWS::CodePipeline::Pipeline
    Properties:
      Name: "somepipeline"
      ArtifactStores:
        - Region: eu-west-2
          ArtifactStore:
            EncryptionKey:
              Type: KMS
              Id: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/artefact_encryption_key/arn:1}}"
            Location: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/build_bucket/name:1}}"
            Type: S3
        - Region: us-east-1
          ArtifactStore:
            EncryptionKey:
              Type: KMS
              Id: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/mgmt/us-east-1/pipeline_artefact_kms_key/arn:1}}"
            Location: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/mgmt/us-east-1/build_bucket/name:1}}"
            Type: S3
      RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/mgmt:1}}"
      Stages:
        - Name: GetSource
          Actions:
            - Name: FetchProjectPipelineCode
              ActionTypeId:
                Category: Source
                Owner: ThirdParty
                Version: 1
                Provider: GitHub
              Configuration:
                Owner: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/organisation:1}}"
                Repo: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/repository:1}}"
                PollForSourceChanges: 'false'
                Branch:
                  Ref: BranchToBuild
                OAuthToken: !Sub "{{resolve:secretsmanager:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/github/oauth_token:SecretString:token}}"
              OutputArtifacts:
                - Name: project-source
              Runorder: 1
        - Name: DeployAuthLambdasToDev
          Actions:
            - Name: DeployLambdas-dev
              RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/dev:1}}"
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: '1'
                Provider: CloudFormation
              InputArtifacts:
                - Name: project-source
              OutputArtifacts:
                - Name: lambdas_outputs_dev
              Configuration:
                ActionMode: REPLACE_ON_FAILURE
                Capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
                RoleArn: !Sub "{{resolve:ssm:/${SSMNamespace}/${SystemSSMConfigId}/pipeline/pipeline_role_arn/dev:1}}"
                StackName: !Sub "${UniqueId}-AuthLambdas"
                TemplatePath: project-source::aws/pipeline/us-east-1/dev/lambdas.cf.yaml
                TemplateConfiguration: project-source::aws/pipeline/service_config.json
                OutputFileName: stack_outputs.json
              Region: us-east-1
              Runorder: 1

解决方法

更新：

我设法解决了这个问题，这与 ARN 有关。由于某种原因，SSM 没有正确解决它。我不知道为什么我检查 SSM 时非常注意包括版本号在内的细节！

amazon-cloudformation amazon-web-services aws-codepipeline