48 lines
1.8 KiB
Markdown
48 lines
1.8 KiB
Markdown
---
|
||
title: "Cross-account ECS Deploy Runner Role"
|
||
type: entity
|
||
entity_type: product
|
||
tags:
|
||
- Terraform
|
||
- IAM
|
||
- ECS
|
||
- Deployment
|
||
- AWS
|
||
sources:
|
||
- ctp-topic-16-cross-account-terraform-modules.md
|
||
last_updated: 2026-05-15
|
||
---
|
||
|
||
## Overview
|
||
|
||
Cross-account ECS Deploy Runner Role 是部署在目标 AWS 账号中的一种 IAM 角色,允许 Shared Account 的 ECS Deploy Runner 通过 Assume Role 获取在该账号内执行 Terraform 资源部署的权限。
|
||
|
||
## Purpose
|
||
|
||
这是跨账号 Terraform 部署的第二个核心角色(与 [[TF-State-Bucket-Accessor]] 并列),专门用于**执行**资源创建/更新操作,而非读取状态文件。
|
||
|
||
## Permission Model
|
||
|
||
| 角色 | 用途 | 托管位置 |
|
||
|------|------|---------|
|
||
| [[TF-State-Bucket-Accessor]] | 读取/写入 Terraform 状态文件 | 目标账号 |
|
||
| **Cross-account ECS Deploy Runner Role** | 执行资源部署(plan/apply) | 目标账号 |
|
||
|
||
两个角色各司其职,严格遵循最小权限原则。
|
||
|
||
## Relationship with cross-account.json
|
||
|
||
`cross-account.json` 是部署在模块目录中的**标记文件**(约定俗成),用于告知 Jenkins 该模块需要跨账号部署,从而触发对 [[ECS-Deploy-Runner]] 的调用,EDR 再通过该角色获取目标账号的部署权限。
|
||
|
||
## Relationships
|
||
|
||
- [[ECS-Deploy-Runner]] ← assumes ← [[Cross-account-ECS-Deploy-Runner-Role]]
|
||
- [[TF-State-Bucket-Accessor]] ← sibling_role ← [[Cross-account-ECS-Deploy-Runner-Role]]
|
||
- [[cross-account.json]] ← triggers ← [[Cross-account-ECS-Deploy-Runner-Role]]
|
||
|
||
## Related Concepts
|
||
|
||
- [[Assume-Role]]:跨账号身份切换的核心机制
|
||
- [[Blast-Radius]]:最小权限角色设计限制了安全影响范围
|
||
- [[Cross-account-Terraform-Modules]]:该角色是跨账号 Terraform 部署方案的核心组件
|