Anton Poriadin
Posted on November 7, 2023
Table of contents
Introduction
In this two-part series, I will guide you on how to access an AWS CodeCommit repository using git-remote-codecommit. This tutorial will specifically focus on accessing a repository from a different account. In contrast, the first part of this series explains how to access a repository from the same account.
While working on a project, I came across a situation where a client was using SSH keys to interact with CodeCommit on their EC2 server. In my opinion, this approach is not secure, as there is a risk of the key being leaked, and it is difficult to keep track of who has access to it. I believe a more secure and transparent approach should be adopted to ensure better security.
My client might be one of many using this method to interact with CodeCommit. Therefore, I wrote a tutorial to help others secure their repository interactions.
While I suggest going through the tutorial to consolidate your knowledge, you can also see the entire process through the numerous screenshots I have provided to make the tutorial more straightforward.
Cross-Account CodeCommit Access from EC2
To complete this tutorial, we need to create certain resources in two AWS accounts. In Account A, we need to create an IAM role and a CodeCommit repository. In Account B, we need to create an IAM policy, an IAM role, and an EC2 instance.
Additionally, after completing the tutorial, it's recommended to delete these resources to avoid unnecessary AWS charges.
Step 1: Create an IAM role in Account A
Let's start by creating the first role. Go to the console and search for Identity and Access Management. Then, select Roles from the left-hand menu and click Create Role. This time, we will allow a different account to use our role from Account A. Therefore, we will choose AWS Account as the use case. In the section below, select Another AWS Account and provide the account ID.
Afterward, click Next and attach the AWSCodeCommitReadOnly permission. This will ensure that the other account can't push any changes to our repository.
Finally, name the role account_a_cross_account_role. Scroll down and click Create Role.
Congratulations! You have successfully created a role for cross-account access. Let's move on to the next step.
Step 2: Create a policy in Account B
It's time to switch to Account B. To proceed, let's create a policy first. Go to the console and search for Identity and Access Management. From the left-hand menu, select Policies, then create a policy.
Select STS from the service dropdown. In the actions section, we need to configure granular access. To do this, expand options under the Write access level and select the AssumeRole option.
Next, let's specify a resource under the resource section. Choose the specific option and click on Add ARNs. Set the ARN of the role that we created in the previous step, which should look like arn:aws:iam:123456789012:role/account_a_cross_account_role
.
Navigate to the next screen and name the policy account_b_cross_account_access_policy.
Click Create.
Step 3: Create an IAM role in Account B
It's time to create a classic EC2 role and attach the policy we previously created. From the left-hand menu, select Roles and then create a role. Ensure that AWS service is selected. Next, select EC2 under Common Use Cases and click Next.
Next, we will add the managed policy we previously created to our role. Search for account_b_cross_account_access_policy and press "Enter". You will find the managed policy that provides the necessary permissions to assume the role from Account A on your EC2 instance. Select the policy and click Next.
We will name our role account_b_ec2_role, and then scroll down to click the Create Role button.
Step 4: Create a CodeCommit repository in Account A
If you've completed the previous tutorial and haven't deleted the repo, you can skip this step. Otherwise, let's create a new repository. For this demo, I have created a repository named repository.
Once you have created the repository, you'll see a screen with different connection options. We will use the recommended HTTPS (GRC) method to support connections made with federated access, identity providers, and temporary credentials.
To add content to the repository, we need to create a simple text file. Firstly, scroll down to the section that says "empty repository" and click on the center button that says Create File.
Next, put "Hello World!" as the content and "file.txt" as the file name to match the file created in the previous tutorial. You also must put your author name and email, and then click on Commit Changes to complete the process.
That's all for this step. You can move on to the next one.
Step 5: Create an EC2 instance in Account B
Let's move forward to the next step. We need to create an EC2 instance and name it account_b_instance. We'll use Amazon Linux 2023, which is the perfect fit for our needs.
Regarding hardware, we'll select the latest toys and choose an arm-based image. For our demo, t4g.nano is more than enough. This time, we'll proceed without a keypair.
Now, expand the Advanced details tab and select the IAM instance profile we created earlier.
To ensure that we have all the necessary tools, we will install them with the User Data script. Here is the script we will use:
#!/bin/bash
dnf install git -y
curl -O https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py
pip install git-remote-codecommit
Let me explain what we'll do here:
- First, we'll install git as we can't interact with our repository without it.
- We need to download PIP, which is a package manager for Python packages.
- After downloading, we'll install PIP.
- Finally, we'll install git-remote-codecommit using pip.
Here is a screenshot that shows how the field appears in the console.
That's all we need to do. Let's wait for a moment while AWS creates an instance for us.
Step 6: Connect to the instance and checkout files
Once the instance is ready, let's proceed with the next steps. To connect through the console, switch to the EC2 console, where you will see a page similar to the screenshot below.
Select the instance and click the Connect button at the top right corner. Then, click Connect again on the next screen.
After logging in, we can start with the necessary actions. The first step is to set up a profile based on the assumed role from account A. You will need to replace the ARN of the role with your own ARN in the first line.
aws configure set role_arn arn:aws:iam::123456789012:role/account_a_cross_account_role --profile CodeAccess
aws configure set credential_source Ec2InstanceMetadata --profile CodeAccess
aws configure set role_session_name "code_access" --profile CodeAccess
By following these commands, you will create a profile. There should be no output.
You have created a profile, but tools like the CLI can't predict whether to use the default profile or any named profile you created, so you need to specify it if you don't want to use default. Let's try to list repositories. First, we will use a simple AWS CLI command without the profile parameter:
aws codecommit list-repositories
Since we do not have permissions with the default role, this call will result in an error. However, we can specify the profile we created with the --profile
parameter, and the command will return our repository from account A. So let's try that:
aws codecommit list-repositories --profile CodeAccess
You can see the result in the screenshot below if you don't want to follow along in your console.
We have confirmed that we have access to the repository in Account A, and now it's time to check it out. To do this, we need to specify the profile for git-remote-codecommit. You can find the documentation for this process here. Let's attempt to run the following command:
git clone codecommit::us-east-1://CodeAccess@repository
We have successfully checked out the repository. Now, let's test our read-only permissions. We will attempt to modify the file and push the changes. These are the steps we need to follow:
cd repository/
nano file.txt
git add file.txt
git commit -m "Second release of Hello World!"
git push
Let me explain the commands above in detail. Firstly, go to the "repository" directory. Once you're there, use a text editor such as Nano or any other editor you prefer to make changes to the file. After making the changes, add the modified file to Git. Then, create a new commit and push the changes to the repository.
However, we encountered a 403 error due to our limited read-only permissions.
If you need to push changes from a different account, you can jump to Account A and replace the AWSCodeCommitReadOnly policy with AWSCodeCommitFullAccess for the account_a_cross_account_role role to grant full access.
And push the changes after that without any errors.
Lessons learned
I hope you found the article about accessing a CodeCommit repository from a different account using git-remote-codecommit helpful. Perhaps you even learned something new!
To summarize, you now have the skills to securely access a CodeCommit repository from a different account using the recommended approach. Additionally, you have learned how to create roles for cross-account access, which is quite useful.
I hope you enjoyed reading the article and gained valuable insights from it. If you found it helpful, please feel free to share, ask questions, or share your thoughts. Let's continue the conversation. Until next time, happy coding!
Posted on November 7, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.