As mentioned in a previous post, we use SSO through Google to our AWS account. Now that we want to start using AWS CodeCommit we have a few extra hoops to jump through.
AWS CodeCommit is a source code storage and version-control service from AWS. CodeCommit was designed to help teams collaborate on software based solutions, enabling the first step of continuous integration.
CREATING YOUR FIRST REPOSITORY
To get started we need to create a repository. For each project that you are developing, you will need at least one repository. The number of required repositories and structure of them is well beyond the scope of this post, so let’s get started by creating our repository.
$ aws codecommit create-repository --repository-name codecommit-demo
{
"repositoryMetadata": {
"accountId": "12345678",
"repositoryId": "ee0333f9-836d-4faf-a644-ffc48613cb7a",
"repositoryName": "codecommit-demo",
"lastModifiedDate": 1551648861.6,
"creationDate": 1551648861.6,
"cloneUrlHttp": "https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo",
"cloneUrlSsh": "ssh://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo",
"Arn": "arn:aws:codecommit:ap-southeast-2:12345678:codecommit-demo"
}
}
Easy, right!? As simple as any other AWS service, but now is when things start to get a little more complex.
If you are used to services such as BitBucket, GitHub or GitLab you would simply be using your git client to authenticate against the exposed endpoint with your SSH or HTTPS credentials.
Let’s grab the URLs from above and see how we go.
With HTTPS access we are prompted for a username and password – currently we don’t have either.
$ git clone https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo
Cloning into 'codecommit-demo'...
Username for 'https://git-codecommit.ap-southeast-2.amazonaws.com':
Password for 'https://git-codecommit.ap-southeast-2.amazonaws.com':
fatal: Authentication failed for 'https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo/'
Maybe SSH access is better, but non of our keys are setup and ready to go.
$ git clone ssh://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo
Cloning into 'codecommit-demo'...
AKIAIYVSGWVFTUUK4APQ@git-codecommit.ap-southeast-2.amazonaws.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Both HTTPS and SSH access can be set up – for HTTPS access setup requires you to be using IAM access to AWS – which in this case we are not.
And it seems that SSH access setup also requires IAM.
But we don’t have either – we authenticate to our AWS accounts through a federated identity provide using Google Apps identities. With this authentication method we only get temporary access to tokens generated by STS.
So how do we authenticate to this repository? And will it integrate with all of my existing git development tools?
USING THE CREDENTIAL-HELPER
As you would hope there is a way for us to authenticate without needing to create dedicated IAM users just for our CodeCommit access.
Git supports extending the default tool kit through numerous extension points, in this case we are able to leverage the credential.helper to add support for generating on-demand git credentials.
Given we already have the AWS CLI set up, we simply need to configure the helper as below:
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
This will invoke the aws codecommit credential-helper function before attempting to authenticate against the CodeCommit endpoint.
This time, when we attempt to authenticate using HTTPS you will see it succeed.
$ git clone https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/codecommit-demo
Cloning into 'codecommit-demo'...
warning: You appear to have cloned an empty repository.
Important to note – this authentication method requires you to be authenticated against the relevant AWS account for the command to succeed, and we need to use the HTTP connection scheme.
Once the credential helper has been set up, you can use all of your standard GIT tools without change to your workflow.
If for any reason you need to remove the credential.helper, you can access the full global config with the --edit flag.
$ git config --global --edit
[user]
name = User Name
email = user@example.com
[core]
autocrlf = input
[credential]
helper = !aws codecommit credential-helper $@
UseHttpPath = true
Remove the [credential] section and save the file to remove the credential.helper settings.
By using the credential.helper you can now securly start using AWS CodeCommit to store and manage your source code, happy in knowing that your access is secured using your SSO signon to your AWS account.
