We had 4 individual AWS accounts for Dev,QA, UAT and Prod.
I need to clone a repository from AWS Prod account with branch name Production.
The problem is I am using the command
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
which is working fine, but I am not sure the cloned repository belongs to which AWS account since I am not providing any AWS account details while cloning the repository to my local.
The clone URL
https://git-codecommit.us-east-1.amazonaws.com/v1/repos/vanguard"
is same in all AWS accounts.
How to clone a repository from specific AWS Code commit account only?
You'd have to create an IAM role in that AWS account you want to clone the repository from. The IAM role will delegate access to that repository to IAM user/users in the AWS account.
Then, you would have to configure your AWS CLI to use AWS Security Token Service (STS) and assume the role when running commands.
Also, note that, each CodeCommit repository is associated with an AWS Region.
Here's more on assuming roles with AWS CLI.
EDIT:
Here's what's need to be done to enable Cross-Account Access to a repository in a different account:
Repository Account Actions:
Create a policy for access to the repository.
Attach this policy to a role in the same account, and allow users in the user account to assume this role.
User Account Actions:
Create an IAM user or IAM group. Use these to access the repository from the other account.
Assign a policy to the user or group that allows them to assume the role created in the repository account as part of the previous step.
Finally, assume the cross-account role before you attempt to clone or otherwise access the repository. Also, make the necessary changes to your credentials file ~/.aws/config
For example:
[profile MyCrossAccountProfile]
role_arn = arn:aws:iam::123456789012:role/MyCrossAccountProfile
source_profile = user1
Lastly, you need to modify the AWS CLI credential helper so that you use MyCrossAccountProfile
git config --global credential.helper `!aws codecommit credential-helper --profile MyCrossAccountProfile $#'
Related
I have two AWS accounts A, B.
All my code commit repositories are present in account A.
Now I want to create the AWS code Build job in account B for repositories in account A.
I am trying to figure out to get the list of AWS repositories in account B from account A while selecting the source for creating a code build job.
I am not sure how to get the list of repositories from account A to account B in the source Repository field.
I have followed the below tutorial only till the second topic.
https://docs.aws.amazon.com/codecommit/latest/userguide/cross-account.html
Any help will be appreciated.
You can configure access to CodeCommit repositories for IAM users and groups in another AWS account. This is often referred to as cross-account access.
Mainly you be need to do the following:
Will need to create a policy and role for the repository with the needed permissions.
Create a policy and attach to your CodeBuild Role allowing the access on the Resource for the created Role
eg.
"Resource": "arn:aws:iam::REPO_ACCOUNT:role/MyCrossAccountRepositoryContributorRole"
This will enable the CodeBuild to access the needed CodeCommit repository.
This page explain this very well: Configure cross-account access to an AWS CodeCommit repository using roles.
Also, check this blog post that explain a little more detailed what you want:
AWS CodePipeline with a Cross-Account CodeCommit Repository.
When use AWS CDK to provision resources in an VPC, it requires me to specify AWS account and region through env environment variables.
I have CLI access to my dev account, but no access to prod account.
I would like to use cdk synth to generate cloudformation template for production account. To do that, I specifies the account ID in .env file.
But cdk synth command returns me following error.
[Error at /whitespace-app-fargate/whitespace-app-fargate/FargateStack] Could not assume role in target account using current credentials (which are for account xxxxxxxx) User: arn:aws:iam::xxxxxxxxx:user/myqinjie is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyy:role/cdk-hnb659fds-lookup-role-yyyyyyyy-ap-southeast-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Is there a ways to run cdk synth to generate cloudformation template without validation?
It is not possible to run cdk synth against an account that you do not have access to.
You need use a role or user that has sufficient permissions to execute cdk synth against production account.
May I ask what is your usecase?
If you want to validate which resources will be created, you can run against your own account but use production stage and production region.
The only thing different when effectively deploying to production will be the account.
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
I'm trying to set up cross-account access to ECR. What I'd like is to allow one AWS account to access the ECR in a different AWS account. The point is that it is needed to set up a policy permission under each repository. I don't like honestly this approach because for each new repository created under the ECR, I need to set up a policy. Do you have a better strategy to allow one account to automatically access all the repos in a ECR in a different AWS account?
I want a aws master account, where i can manage other aws accounts/iam users. Is this achievable? I tried with AWS Organizations, but it does not applies for IAM users(Only account level). Please help
You could create a custom role in any account that you have, and the use aws-api to assume this role with an script.
For example, you create the role custom_role in everyaccount that you own.
Then you use aws sdk or cli to assume role
Configure role in credentials profile
[profile custom_role]
role_arn = arn:aws:iam::123456789012:role/custom_role
source_profile = default
Use aws api to create user in the other account
aws iam create-user --user-name user_test --profile custom_role
You could do the same thing through aws sdk (like boto3 in python). If you want to manage all accounts, you could develop some script that automate that work.