nexus/wiki/entities/TF-State-Bucket-Accessor.md at b40abbcd473a7093d8261e212e3d6de97c1e516a

ishenwei/nexus

Fork 0

Files

weishen c961c6a394 Auto-sync: update nexus workspace

2026-04-29 15:44:42 +08:00

1.7 KiB

Raw Blame History

title, type, entity_type, tags, sources, last_updated

title

type

entity_type

Overview

TF State Bucket Accessor 是部署在目标 AWS 账号中的一种专门 IAM 角色，仅允许部署工具（ECS Deploy Runner）访问存储在该账号 S3 桶中的 Terraform 状态文件。

Purpose

Terraform 通过状态文件（state file）追踪基础设施的实际部署状态。在跨账号场景中：

状态文件位置：存储在目标 Workload 账号的 S3 桶中
访问控制问题：Shared Account 的 ECS Deploy Runner 需要读取这些状态文件，但直接赋予 S3 访问权限存在安全风险
解决方案：创建专门的 IAM 角色，仅允许特定的部署执行器 Assume 该角色

IAM Policy Design

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SharedAccount>:role/ecs-deploy-runner-execution-role"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::<target-account>-terraform-state/*"
    }
  ]
}

Relationships

ECS-Deploy-Runner ← reads_state ← TF-State-Bucket-Accessor
Cross-account-ECS-Deploy-Runner-Role ← sibling_role ← TF-State-Bucket-Accessor
TerraformState ← protected_by ← TF-State-Bucket-Accessor

TerraformState：状态文件管理是 IaC 的核心问题
Assume-Role：EDR 通过 Assume Role 获取该角色的临时凭证
Blast-Radius：专门角色限制了凭证泄露时的爆炸半径

1.7 KiB Raw Blame History Unescape Escape

Overview

Purpose

IAM Policy Design

Relationships

Related Concepts

1.7 KiB

Raw Blame History