I am following https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-1/
and facing an issue when trying to clone the repo "wildrydes-site" I just created in CodeCommit.
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/wildrydes-site
Cloning into 'wildrydes-site_new'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/wildrydes-site/': The requested URL returned error: 403"
Make sure your IAM user or role being used has codecommit:GitPull permissions or you can attach the managed policy AWSCodeCommitPowerUser to provide more wider codecommit access.
Approach 1 for IAM Users using Git Credentials
You need to setup IAM credentials like they mentioned in point 'e'. Follow the instructions here to generate codecommit credentials for your IAM User.
The generated credentials will have a username and password with the username in the format <your-iam-username>-at-<account id>. Make sure to copy the password or download the credentials file. Use these username and password values when you run git clone command.
Approach 2 for IAM roles or users.
You need to configure your IAM user aws credentials locally using aws configure or If you are using roles, you need to run aws sts assume-role --role-arn <role-arn> to assume the role after aws configure and generate the temporary credentials which you can export to your environment.
Once the aws credentials configuration is done, you can run below commands to use AWS CLI as your credential helper.
git config --global credential.helper '!aws codecommit credential-helper $#'
git config --global credential.UseHttpPath true
Run your git clone after running above commands. That should fix your issue too.
Related
I am running a cdk deploy build on circleCi, and when the step CDK deploy comes it gives me "Need to perform AWS calls for account ************, but no credentials have been configured".
But for the troubleshooting i tried other commands as well like
aws s3 ls
aws aws cloudformation list-stacks
These above commands we working fine, also able to run command to create a cloudformation with same config but not able to run cdk deploy. the access key and secret i am using has Admin access.
Set the creds with a profile name using aws-cli Orb in CircleCI and
try using the below command to deploy with CDK
cdk deploy --all --profile cdkprofile
For reference, in CircleCI
orbs:
aws-cli: circleci/aws-cli#2.0.3
commands:
env-setup:
description: AWS Env Setup
steps:
- aws-cli/setup:
profile-name: cdkprofile
aws-access-key-id: AWS_ACCESS_KEY_ID
aws-secret-access-key: AWS_SECRET_ACCESS_KEY
And assumption is AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set as CircleCI env variables
As a starting note: The best way to troubleshoot is with cdk [command] --verbose (see CLI ref)
CDK has an internal mechanism for finding credentials not directly using AWS CLI (AWS CLI is not a requirement for CDK to run)
In a similar situation with a CI tool, the issue was simply that the ~/.aws/credentials file did not exist (not that you need it with AWS CLI, but in the situation for CDK, it was required)
Credit to this issue reporting: https://github.com/aws/aws-cdk/issues/6947#issue-586402006
Solution tested for above:
For an EC2 running CI tool, with EC2 IAM role
Where ~/.aws/config exists and defined profile(s) with:
credential_source = Ec2InstanceMetadata
role_arn = arn:aws:iam:::role/role-to-assume-in-acctId
Create empty ~/.aws/credentials file
Example error for the problem solved above (from verbose output)
Resolving default credentials
Notices refreshed
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile myprofile did not include credential process
Other causes found in other issues/comments could relate to:
Duplicate profiles
Having credential_process in the profile, set to empty
Needing --profile parameter to be added
Say I use aws-cli locally on my machine, I´d need to authenticate with credentials prior to any operation.
How do AWS services give permission to other services on my behalf? And more specifically, how does a container run aws-cli on my behalf without prior authentication?
I am asking this, after running my first pipeline successfully in codePipeline. My buildspec.yml does run aws s3 sync command flawlessly -which made me then wonder how do aws internally permissions work-.
AWS CodeBuild uses an IAM Service Role to provide AWS permissions to the CodeBuild environment. You should have had to create a service role for your CodeBuild configuration.
When the AWS cli tool runs, and it hasn't been previously configured with API access keys, it will check if it is running in an AWS environment like EC2 or Lambda and if so, it will use the AWS IAM role assigned to that runtime environment.
How can i clone aws codecommit repo with chef recipe?
I tried installing AWS CLI and added credentials with codecommit access, then use chef’s git resource to clone the repo. but it fails with could not read Username for ‘https://git-codecommit.us-east-1.amazonaws.com’ .
git "/home/ubuntu/lead_intake" do
repository node[:app_name][:git_repository]
action :sync
end
When tried to clone from the command line it works.
helps would be appreciated
First, make sure you have correct Access key ID and Secret access key in IAM -> users -> Security Credentials.
Second, put [credential] helper = !aws codecommit credential-helper $# UseHttpPath = true into .gitconfig file.
Third, Both .gitconfig file and .aws directory should in the /root/ . Maybe this is the problem that you have. You put the .gitconfig in the /root/.aws/, which will make credential helper useless. Thus it is asking your Username/Password.
If you have done all the things above, it also fails, I suggest you to use ssh to clone the repository. Follow this documentation http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html
I am new to Amazon Web Services world, and I am implementing Continuous Delivery to the company I work for.
I followed AWS's [instructions to configure CodeCommit Service] (http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-windows.html#setting-up-https-windows-account)
Step 1: Initial Configuration for AWS CodeCommit
To create and configure an IAM user for accessing AWS CodeCommit:
I created a new IAM user and gave him AWSCodeCommitFullAccess
To install and configure the AWS CLI :
I installed and configured the credentials doing aws configure.
Setting AWS Access Key ID, AWS Secret Access Key, Default region name to us-east-1 and de
Step 2: Install Git
I installed Git For Windows making sure the Enable Git Credential Manager option was cleared.
Step 3: Set Up the Credential Helper
git config --global credential.helper "!aws codecommit credential-helper $#"
git config --global credential.UseHttpPath true
Executing:
git config --global --edit
My Configuration is:
[http]
sslVerify = false
[credential]<br>
helper = "aws codecommit list-repositories codecommit credential-helper "
UseHttpPath = true
Step 4: Connect to the AWS CodeCommit Console and Clone the Repository
$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3<br>
Cloning into 'teste-git-to-s3'...<br>
git: 'credential-aws' is not a git command. See 'git --help'.<br>
Username for 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3': Lucas<br>
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3/': The requested URL returned error: 403
Looking for AWS troubleshooting, I found: Troubleshooting AWS CodeCommit but I couldn't solve it.
How can this be solved?
I think the issue is in your .gitconfig file. Change it to below and it should work.
[credential]
helper = !aws codecommit credential-helper $#
UseHttpPath = true
By the way, if you are using a Bash emulator instead of the Windows command line, you must use single quotes instead of double quotes.
Let me know if this doesn't work.
If you are using cygwin, after you created the repository, click the connect info button, select linux instead of windows, it works on mine.
I experienced this problem with Python 3.8.x - make sure you are using Python 3.7.x instead, as shown in the docs
I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.
All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.
I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?
The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.
AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.
git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $#'
For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:
git config --global credential.helper '!aws --profile saml codecommit credential-helper $#'
For OSX
Install git and AWS cli
Configure AWS cli credentials:
aws configure
Setup the my-profile profile that contains a role to be assumed by modifying your ~/.aws/credentials file. Note that an admin should create this role in the AWS account that owns the CodeCommit repos and the role should put your account as a trustee and have enough CodeCommit permissions
[my-profile]
role_arn = ARN_OF_THE_ROLE_TO_BE_ASSUMED
source_profile = default
Double check your region config in ~/.aws/config :
[default]
region = us-east-1
Configure git to use AWS CLI profile during clone/push/pull/etc... operations. Note the use of my-profile as the profile name to use which in turn is assuming a role as we already discuss
git config --global credential.helper '!aws --profile "my-profile" codecommit credential-helper $#'
git config --global credential.UseHttpPath true
You should be able to perform git operations against CodeCommit repos belonging to the AWS parent account using http endpoints