I used ask init --hosted-skill-id=<skill_id> to pull a local copy of my skill. Running git remote -v shows the repository is hosted on AWS CodeCommit at https://git-codecommit.us-east-1.amazonaws.com/v1/repos/<skill_id>.
I can't see the CodeCommit repository in my AWS account (when logged in as root user). I also can't see any IAM roles listed in my AWS account. I considered logging in as the ask_cli_default profile generated by ask configure but it only has an access key and secret; no password.
Which AWS account holds the Alexa-hosted CodeCommit repositories? Is there any way to grant access to another account?
Other potentially relevant tidbits
Context: Yesterday I created a skill in the Alexa developer console based on a Hello World template. Now I want to share it with a friend so we can develop it together. Ideally we would both be able to push to a shared git repository, build, deploy, and test using the simulator in Alexa developer console.
ask --version = 2.20.0
I can git clone to another local directory using the (generated) username and password from ask util git-credentials-helper.
a question in the AWS forums Alexa Hosted sets up a CodeCommit repository -- unanswered
official AWS docs for setting up cross-account access to CodeCommit -- Requires access to the CodeCommit repository from AWS console. This is where I want to get to.
Alexa Hosted is hosted in Alexa's AWS account, so it won't show up in your AWS account. Instead, it provides you with a unique (and highly constrained) AWS IAM role within the Alexa Hosted account that is tied to your skill and your Amazon developer account.
What you need to do if you want to bring in other developers is assign them Developer roles on your account so they can access the skill and its resources using their own account.
This is the documentation for adding people to your org's developer account: https://developer.amazon.com/docs/app-submission/manage-account-and-permissions.html#add_other_users
Related
When deploying to AWS from gitlab-ci.yml file, you usually use aws-cli commands as scripts. At my current workplace, before I can use the aws-cli normally, I have to login via aws-azure-cli, authenticate via 2FA, then my workstation is given a secret key than expires after 8 hours.
Gitlab has CI/CD variables where I would usually put the AWS_ACCESS_KEY and AWS_SECRET_KEY, but I can't create IAM role to get these. So I can't use aws-cli commands in the script, which means I can't deploy.
Is there anyway to authenticate Gitlab other than this? I can reach out to our cloud services team, but that will take a week.
You can configure OpenID to retrieve temporary credentials from AWS without needing to store secrets.
In my view its actually a best practice too, to use OopenID roles instead of storing actual credentials.
Add the identity provider fir gitlab in aws
Configure the role and trust
Retrieve a temporary credential
follow this https://docs.gitlab.com/ee/ci/cloud_services/aws/ or a more detailed version https://oblcc.com/blog/configure-openid-connect-for-gitlab-and-aws/
Right now we are using two AWS accounts with Terraform (INT and PROD). Currently we have the same repositories in both of the accounts, which is obviously not best practice, so I'm trying to set up cross-account access. The goal is to have the repos only on the INT account, and make the CodeBuild project or CodePipeline instance on the PROD account to use those repos.
I have already created the necessary policies and roles on both accounts so lack of permission should not be a problem. However, what I'm struggling with is using the INT repos as source for the PROD CodeBuild project for example.
The project's source block is configured in the following way:
source {
type = "CODECOMMIT"
location = "https://git-codecommit.region.amazonaws.com/v1/repos/example-repo"
buildspec = data.local_file.buildspec_local.content
}
I can't seem to understand how should I proceed here. From my understanding, I should somehow reference the repo in the INT account, but from what I know there's only one way to do that, which is using multiple aws provider blocks with the accounts' access key id and secret key.
This solution is not possible for us, since we have to use the company's SSO tool to generate credentials which are valid for 12 hours to use the AWS accounts.
I am aware that there are loads of questions regarding cross-account access in AWS, but unfortunately I haven't found one that helps me.
Welcome to the world of AWS Terraform! Not sure how far you have gotten on this, but there are two options for you. Option 1 leverages AWS Cross Account Pipeline . Now I am currently in the process of building this out with terraform, but this would be considered the best practice for this type of development.
If you are just looking to pull in the repos from another account, then you can leverage Codebuild to ssh and clone the repository into your build job. to do this, you will need to create an ssh user in the repo account, which we will label A. You will need the ssh users' User Key and the Public Key. You will create two variables in the parameter store called variable_ssh_key and variable_codecommit_user.
Leveraging the buildspec provided here, you can leverage git clone to pull down any repository you need. The only thing you will need is in Account B to create one repo that stores the buildspec and calls the other repos. See buildspec as a reference.
I have multiple Codebuild projects in an AWS account (which were created by others), with private Github repos as the source, connected via oauth.
I'm creating a new Codebuild project, also looking at a private github repo, however Codebuild fails to create since it "can't access the github repo".
I imagine that whoever in the account originally connected to Github, they don't have access to my the repo I'm trying to connect to.
I'd like to click the "disconnect from Github" and re-authorize, since I have access to the repo I'm trying to connect to, but I'm concerned that will disconnect all Codebuild projects.
I know that my Github credentials don't permit access to all repos that Codebuild projects are currently reading from.
When a connection to Github is made via oauth, does that set it for the entire account?
When a connection to Github is made via oauth, does that set it for the entire account?
Yes it will reset the token for all your CodeBuild projects in that AWS account Id. CodeBuild only supports one token (OAuth or personal access token) per AWS account Id.
We are aware of the limitation this causes on end users and will make this experience better in a future release.
Ok so I have the exact build script to build my nodejs app.
The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.
I have a repo in Account A (Dev) that hosts a nodejs app
I want to be able to create a pipeline in Account B that checks out code from repo in account A
And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)
My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.
My ideas from reading around:
Create IAM roles for the pipeline in Account A which allows to
checkout codecommit repos
Have the pipeline in account B assume the role from account A somehow
It's still not clear to me how to go about doing this; I'm just getting into aws
I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here
From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.
The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.
As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.
This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.
This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.
Good luck!
AWS provide a guide with source that does something close to what you are trying to do.
It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.
Many programmers like to share all their public repos where their code is stored and they can give their unique Github URL to everyone who's interested in it; like potential employers.
If someone sets up an AWS account and AWS CodeCommit, can he then get such a profile URL for himself there also? (Or is AWS CodeCommit more designed for your personal version control etc. and not having a real profile for others?)
AWS CodeCommit is not designed for public anonymous access. Access to CodeCommit requires AWS credentials. The purpose of CodeCommit is for teams to be able to work together and not to provide a public repository.