Anton Poriadin
Posted on October 23, 2023
Table of contents
Introduction
In this two-part series, I will show you how to access an AWS CodeCommit repository using git-remote-codecommit. The first part focuses on accessing a repository from the same account, while the second covers accessing a repository from a different account.
While working on a project, I came across a situation where a client was using SSH keys to interact with CodeCommit on their EC2 server. In my opinion, this approach is not secure, as there is a risk of the key being leaked, and it is difficult to keep track of who has access to it. I believe a more secure and transparent approach should be adopted to ensure better security.
My client might be one of many using this method to interact with CodeCommit. Therefore, I wrote a tutorial to help others secure their repository interactions.
CodeCommit Access from EC2
In order to complete this tutorial, we will need to create a few resources: an IAM role, a CodeCommit repository, and an EC2 instance. It's important to note that these resources should all be created within the same AWS account. Additionally, after completing the tutorial, it's recommended to delete these resources to avoid unnecessary AWS charges.
Step 1: Create an IAM role
To get started, we need to create a role. Go to IAM Roles and click Create role. Under the Trusted entity type section, select AWS Service. Since we'll be using EC2, select it as a use case.
The next screen will require us to add a policy. We need to select AWSCodeCommitFullAccess for demo purposes as we want to commit a file. However, on a real server, choosing AWSCodeCommitReadonly or even a stricter role is recommended to stick to the principle of least privilege.
To keep things simple, name the role account_a_ec2_role. Scroll down and click Create Role.
Perfect! This is all we need for this role. Now, let's move on to the next step.
Step 2: Create a CodeCommit repository
To keep things simple for the demo, I have created a repository named repository, which perfectly describes its purpose.
After creating the repository, you'll see a screen with various connection options. We will be using the third option, which is HTTPS (GRC). According to AWS, this is the recommended method for supporting connections made with federated access, identity providers, and temporary credentials.
That's all for this step. We can move on to the next one.
Step 3: Create an EC2 instance
Let's move on to the next step, which is the most interesting one. We need to create an EC2 instance and name it account_a_instance. We just want to keep the naming simple. We'll go with Amazon Linux 2023, which works great for us.
Regarding hardware, we'll select the latest toys and choose an arm-based image. For our demo, t4g.nano is more than enough. This time, we'll proceed without a keypair.
Now, let's expand the advanced details tab and select the IAM instance profile we created earlier.
To make sure we have all the necessary tools, we'll install them with the User Data script. Here is the script we'll use:
#!/bin/bash
dnf install git -y
curl -O https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py
pip install git-remote-codecommit
Let me explain what we'll do here:
- First, we'll install git as we can't interact with our repository without it.
- We need to download PIP, which is a package manager for Python packages.
- After downloading, we'll install PIP.
- Finally, we'll install "git-remote-codecommit" using pip.
That's all we need to do. Let's wait for a moment while AWS creates an instance for us.
Step 4: Connect to the instance and commit a file
When the instance is ready, let's continue. To connect through the console, switch to the EC2 console, where you see something like the image below.
Select the instance and click the Connect button located at the top right section with buttons. Then click Connect again on the next screen.
You will see something like the image below once you have successfully connected to the instance.
As the first step, let's check out the repository. Open the tab with the repository if it's still open, or go to CodeCommit and select our repository. You basically need to copy a command from the bottom of the HTTPS (GRC) tab.
An example command from my console would look like this:
git clone codecommit::us-east-1://repository
Run this command on the instance. The output will say
Cloning into 'repository'...
warning: You appear to have cloned an empty repository.
Which is perfectly fine since it's an empty repository, and we will commit our first file in a few steps.
Now, let's type a few more commands.
cd repository/
echo 'Hello World!' > file.txt
git add file.txt
git commit -m "First release of Hello World!"
git push
First, we need to go to the directory with our repository. Then, we want to create a file that contains the string "Hello World!" Next, we add the file to git, create a commit and push the changes. If everything runs successfully, you will see output that looks like the image below.
This way we created a file and committed it to the repo. Let's jump to the final step of this quick demo.
Step 5: Check the file in the CodeCommit console
Open the tab with our repository where you found the connection instructions earlier and refresh the page.
You will see the file we created on our EC2 instance. This indicates that we can access our repository without using long-term personal credentials.
Lessons learned
I hope you found the article on accessing a CodeCommit repository using git-remote-codecommit helpful. Perhaps you even learned something new.
To sum up, you now have the skills to enable secure access to CodeCommit from your computing resources. In my experience, I haven't come across a project where using personal or long-term credentials was advantageous.
I hope you enjoyed reading this article and gained valuable insights from it. Feel free to share it, ask questions, or share your thoughts if you found it helpful. Let's continue the conversation. Until next time, happy coding!
Posted on October 23, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.