Menu
I am running a CodeBuild on a project that has private requirements stored in CodeCommit.
I need to add a command in buildspec.yml that loads the https git credentials so git clone works when CodeBuild runs pip install.
The build fails with fatal: could not read Username for 'https://git-codecommit.us-west-2.amazonaws.com': No such device or address
480
As part of this configuration, you provide IAM credentials that CodeCommit can use to authenticate you. IAM supports CodeCommit with three types of credentials: Git credentials, an IAM-generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS.
Since the CodeBuild environment uses an IAM role for credentials (not a username and password), you will need to configure the CodeCommit credential helper in your buildspec:
phases:
install:
commands:
- git config --global credential.helper '!aws codecommit credential-helper $@'
- git config --global credential.UseHttpPath true
CodeBuild now provides an easier dial for this buildspec by setting the "git-credential-helper" to yes. Documentation @ https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax
21
So I was looking for a method to do this as well. I figured out two ways to clone the repo without the use of assume roles. What I am gathering from your post you want to clone the repo via the buildspec.yml
The first option as mentioned in an earlier post is to use the native function that is offered by Codebuild. The caveat is that it's limited to the AWS account you are in (at least that's where my research has led me without using Codepipeline). I am providing a sample for you to review as well.
I will also assume that most of you have worked with AWS Codecommit before and know how to set up users to connect to repos. If you haven't please visit this page and get familiar with Codecommit configurations. Links are listed below that can help you with this.
Using One AWS Account to clone Codecommit repository inside that AWS Account:
version: 0.2
env:
git-credential-helper: yes
phases:
install:
commands:
- echo "STARTING PYTHON INSTALLATION"
- "curl -s -qL -o python.tgz https://www.python.org/ftp/python/${PY_VERSION}/Python-${PY_VERSION}.tgz"
- "tar xf python.tgz -C /usr/bin/"
- "python --version"
- python -m pip install -U pip
- pip install git-remote-codecommit
pre_build:
commands:
- aws --version
- git --version
# Clone directories
- echo CLONE DIRECTORIES
- mkdir /usr/bin/repo
- cd /usr/bin/repo
#Leveraging git remote clone for codecommit
- git clone codecommit://your-repo1-name new-repo1-name
build:
commands:
- cd /usr/bin/new-repo1-name
- do your git commands from here
The key for this to work is to make sure certain settings are enabled.
Again I reiterate I have only made this work within one AWS Account. To date, I am not able to make this work cross-account without leveraging other AWS Services. To avoid leveraging other services I was able to put this together which creates an AWS Codecommit user that can use SSH. For this example, I stored my ssh private key in the parameter store as well as the ssh key ID. There are other methods I will share that can leverage S3 buckets which I will attach but the example below is to build the RSA and the config on the fly.
The SSH method to connect to a different AWS account Codecommit repository
version: 0.2
env:
parameter-store:
ssh_key: variable_ssh_key
cc_user: variable_codecommit_user
git-credential-helper: yes
phases:
install:
commands:
- echo UPDATING SSH CLIENT
- "which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )"
- echo "STARTING PYTHON INSTALLATION"
- "curl -s -qL -o python.tgz https://www.python.org/ftp/python/${PY_VERSION}/Python-${PY_VERSION}.tgz"
- "tar xf python.tgz -C /usr/bin/"
- "python --version"
- python -m pip install -U pip
pre_build:
commands:
- aws --version
- git --version
# Adds a private SSH key to allow us to clone or npm install Git repositories
- eval $(ssh-agent -s)
- mkdir -p ~/.ssh
# Configure SSH Key
#- ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa <<< y. #generate a new ssh key on demand
- echo "$ssh_key" > ~/.ssh/id_rsa
- cd ~/.ssh/
- cat id_rsa
- |
echo "Multiline command"
cat > ~/.ssh/config <<EOL
Host host-unique-name
Hostname git-codecommit.us-east-1.amazonaws.com
User ${cc_user}
IdentityFile ~/.ssh/id_rsa
EOL
- cat ~/.ssh/config
# Configure SSH Permissions
- chmod 700 ~/.ssh
- chmod 600 ~/.ssh/config
- chmod 600 ~/.ssh/id_rsa
- ssh-keyscan -t rsa1,rsa,dsa git-codecommit.us-east-1.amazonaws.com >> ~/.ssh/known_hosts
# Clone directories
- echo CLONE DIRECTORIES
- mkdir /usr/bin/repo
- cd /usr/bin/repo
#leveraging typical git clone
- git clone ssh://host-unique-name/v1/repos/your-repo1-name
build:
commands:
- cd /usr/bin/new-repo1-name
- do your git commands from here
As you can see this will create the ssh key and allow Codebuild to clone the repositories locally. Please note I am adding a link for a similar example that uses S3 to download the RSA_ID.
Sample SSH clone S3 Bucket: https://gist.github.com/gemmadlou/36deec54dea3defbdd8cbd6574e0261d
The key for this to work is to make sure certain settings are enabled.
Env Phase
Install Phase
pre_build:
Here are additional links to reference for items that helped me put this together:
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
