CodeCommit Access from EC2

aporiadin

Anton Poriadin

Posted on October 23, 2023

CodeCommit Access from EC2

Table of contents

Introduction

In this two-part series, I will show you how to access an AWS CodeCommit repository using git-remote-codecommit. The first part focuses on accessing a repository from the same account, while the second covers accessing a repository from a different account.

While working on a project, I came across a situation where a client was using SSH keys to interact with CodeCommit on their EC2 server. In my opinion, this approach is not secure, as there is a risk of the key being leaked, and it is difficult to keep track of who has access to it. I believe a more secure and transparent approach should be adopted to ensure better security.

My client might be one of many using this method to interact with CodeCommit. Therefore, I wrote a tutorial to help others secure their repository interactions.

CodeCommit Access from EC2

In order to complete this tutorial, we will need to create a few resources: an IAM role, a CodeCommit repository, and an EC2 instance. It's important to note that these resources should all be created within the same AWS account. Additionally, after completing the tutorial, it's recommended to delete these resources to avoid unnecessary AWS charges.

Step 1: Create an IAM role

To get started, we need to create a role. Go to IAM Roles and click Create role. Under the Trusted entity type section, select AWS Service. Since we'll be using EC2, select it as a use case.

The process of creating a role. Step 1: Selecting a use case.

The next screen will require us to add a policy. We need to select AWSCodeCommitFullAccess for demo purposes as we want to commit a file. However, on a real server, choosing AWSCodeCommitReadonly or even a stricter role is recommended to stick to the principle of least privilege.

The process of creating a role. Step 2: Adding permissions.

To keep things simple, name the role account_a_ec2_role. Scroll down and click Create Role.

The process of creating a role. Step 3: Defining role details.

Perfect! This is all we need for this role. Now, let's move on to the next step.

Step 2: Create a CodeCommit repository

To keep things simple for the demo, I have created a repository named repository, which perfectly describes its purpose.

The process of creating a repository

After creating the repository, you'll see a screen with various connection options. We will be using the third option, which is HTTPS (GRC). According to AWS, this is the recommended method for supporting connections made with federated access, identity providers, and temporary credentials.

Overview of various connection methods

That's all for this step. We can move on to the next one.

Step 3: Create an EC2 instance

Let's move on to the next step, which is the most interesting one. We need to create an EC2 instance and name it account_a_instance. We just want to keep the naming simple. We'll go with Amazon Linux 2023, which works great for us.

The process of creating an instance. Setting a name for the instance.

Regarding hardware, we'll select the latest toys and choose an arm-based image. For our demo, t4g.nano is more than enough. This time, we'll proceed without a keypair.

The process of creating an instance. Setting an instance type.

Now, let's expand the advanced details tab and select the IAM instance profile we created earlier.

The process of creating an instance. Setting an instance profile.

To make sure we have all the necessary tools, we'll install them with the User Data script. Here is the script we'll use:

#!/bin/bash
dnf install git -y
curl -O https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py
pip install git-remote-codecommit
Enter fullscreen mode Exit fullscreen mode

Let me explain what we'll do here:

  1. First, we'll install git as we can't interact with our repository without it.
  2. We need to download PIP, which is a package manager for Python packages.
  3. After downloading, we'll install PIP.
  4. Finally, we'll install "git-remote-codecommit" using pip.

The process of creating an instance. Setting a User Data script.

That's all we need to do. Let's wait for a moment while AWS creates an instance for us.

Step 4: Connect to the instance and commit a file

When the instance is ready, let's continue. To connect through the console, switch to the EC2 console, where you see something like the image below.

EC2 console

Select the instance and click the Connect button located at the top right section with buttons. Then click Connect again on the next screen.

Establish a connection with an instance

You will see something like the image below once you have successfully connected to the instance.

EC2 Instance Connect console

As the first step, let's check out the repository. Open the tab with the repository if it's still open, or go to CodeCommit and select our repository. You basically need to copy a command from the bottom of the HTTPS (GRC) tab.

An example command from my console would look like this:

git clone codecommit::us-east-1://repository
Enter fullscreen mode Exit fullscreen mode

Run this command on the instance. The output will say

Cloning into 'repository'...
warning: You appear to have cloned an empty repository.
Enter fullscreen mode Exit fullscreen mode

Which is perfectly fine since it's an empty repository, and we will commit our first file in a few steps.

Cloning the repository

Now, let's type a few more commands.

cd repository/
echo 'Hello World!' > file.txt
git add file.txt
git commit -m "First release of Hello World!"
git push
Enter fullscreen mode Exit fullscreen mode

First, we need to go to the directory with our repository. Then, we want to create a file that contains the string "Hello World!" Next, we add the file to git, create a commit and push the changes. If everything runs successfully, you will see output that looks like the image below.

Committing to the repository

This way we created a file and committed it to the repo. Let's jump to the final step of this quick demo.

Step 5: Check the file in the CodeCommit console

Open the tab with our repository where you found the connection instructions earlier and refresh the page.

Checking the repository via the AWS console

You will see the file we created on our EC2 instance. This indicates that we can access our repository without using long-term personal credentials.

Lessons learned

I hope you found the article on accessing a CodeCommit repository using git-remote-codecommit helpful. Perhaps you even learned something new.

To sum up, you now have the skills to enable secure access to CodeCommit from your computing resources. In my experience, I haven't come across a project where using personal or long-term credentials was advantageous.

I hope you enjoyed reading this article and gained valuable insights from it. Feel free to share it, ask questions, or share your thoughts if you found it helpful. Let's continue the conversation. Until next time, happy coding!

💖 💪 🙅 🚩
aporiadin
Anton Poriadin

Posted on October 23, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related