Created
February 27, 2021 15:04
-
-
Save omenking/750029716ee9074eeb412bb379c4c324 to your computer and use it in GitHub Desktop.
AWS Support + CrossAccount CodeCommit Https Git Credentials in CodeBuild Project
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I am attempting to install packages for NodeJS that reference a CodeCommit repository that resides in different AWS Account from a different AWS Organization. | |
I am receive the error "unable to access" | |
=========================== | |
npm ERR! Error while executing: | |
npm ERR! /usr/bin/git ls-remote -h -t https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package | |
npm ERR! | |
npm ERR! fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package/ ': The requested URL returned error: 403 | |
=========================== | |
I have access to both root accounts and have technical business support for both. | |
[Account A]================== | |
AccountName: MyApplication | |
AccountId: 123456789012 | |
In this account I have a CodeBuild project that is provisioned by a CloudFormation template: | |
my_application/83e528f0-78a8-11eb-a553-126bf0867249 | |
I have a CodeBuild IAM Role | |
arn:aws:iam::123456789012:role/CodeBuildRole-1DS22LL51E1O3 | |
This role has an inline policy to allow the CodeBuild project to assume a cross-account role which in turn grants access to the CodeCommit repo in the other account | |
[Inline Policy]-------------------------- | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": [ | |
"sts:AssumeRole" | |
], | |
"Resource": "arn:aws:iam::101010110101:role/CrossAccountRole-D5JOGALPCNCR", | |
"Effect": "Allow" | |
} | |
] | |
} | |
-------------------------- | |
Within my buildspec I have applied this option that should automatically allow a CodeBuild project with permissions to pull a CodeCommit repo with an https reference. | |
[buildspec.yaml]------------------- | |
env: | |
git-credential-helper: yes | |
``` | |
-------------------------------------- | |
This is the dependency in question I am referencing in my package.json | |
[package.json]------------------- | |
"my_package": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package#semver:1.3.3", | |
``` | |
------------------------------------ | |
I am able to pull this repo on my local development machine with HTTPS Git Credentials without issue. | |
[Account B]================== | |
AccountName: MyPackage | |
AccountId: 101010110101 | |
This is the account where the other CodeCommit repository (my_package) resides | |
This is its clone url: | |
https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package | |
I have created a Cross Account Role via this CloudFormation template: | |
arn:aws:cloudformation:us-east-1:101010110101:stack/mypackage/3a422c70-78ae-11eb-90ee-12136ee127ab | |
To debug it I told it to just have access to everything in CodeCommit | |
------------------------------- | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": [ | |
"codecommit:*" | |
], | |
"Resource": [ | |
"*" | |
], | |
"Effect": "Allow" | |
}, | |
{ | |
"Action": [ | |
"codecommit:GetBranch", | |
"codecommit:GetCommit", | |
"codecommit:UploadArchive", | |
"codecommit:GetUploadArchiveStatus", | |
"codecommit:CancelUploadArchive", | |
"codecommit:GetRepository", | |
"codecommit:GitPull", | |
"codecommit:GetFolder" | |
], | |
"Resource": [ | |
"arn:aws:codecommit:us-east-1:101010110101:my_package" | |
], | |
"Effect": "Allow" | |
} | |
] | |
} | |
--------------------------- | |
I edited the Trust Relationship to include the Role from Account A so it has permission to assume the role: | |
-------------------------- | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::123456789012:role/CodeBuildRole-1DS22LL51E1O3" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment