AWS Amplify with repository in different account - assume role - amazon-web-services

I have gone through the documents and couldn't find a solution for this..
I have two accounts dev and prod. my amplify app exist in dev but code-commit exist prod. Is there any way to connect them?
I have configured assume-role and have also tried using temporary credentials in a different profile and connecting it with:
aws amplify create-app --name app-name-in-dev --repository repo-in-prod
aws amplify create-app --name app-name-in-dev --repository repo-in-prod --iam-service-role-arn arn:aws:sts::prod:assumed-role/CrossAccountRepositoryContributorRole/cross-account
The problem remains the same. It seems impossible to connect amplify with code-commit until, repository and amplify-app exist in the same account.
Is there anyway to achieve this or is it really not configurable?
references:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
https://forums.aws.amazon.com/thread.jspa?threadID=300224

Incase Anyone comes looking for same:
After creating a ticket with AWS, I have received back a response that it is not currently possible as Amplify is still a newer service and only allow repository from same account.
I have tried setting this up at my end and observed the same. I was able to connect to the repositories only in the same account. I did further research on this and could confirm that currently, we cannot integrated with a cross account CodeCommit repository for Amplify applications.

Related

Gitlab CI/CD deploy to aws via aws-azure-cli authentication

When deploying to AWS from gitlab-ci.yml file, you usually use aws-cli commands as scripts. At my current workplace, before I can use the aws-cli normally, I have to login via aws-azure-cli, authenticate via 2FA, then my workstation is given a secret key than expires after 8 hours.
Gitlab has CI/CD variables where I would usually put the AWS_ACCESS_KEY and AWS_SECRET_KEY, but I can't create IAM role to get these. So I can't use aws-cli commands in the script, which means I can't deploy.
Is there anyway to authenticate Gitlab other than this? I can reach out to our cloud services team, but that will take a week.
You can configure OpenID to retrieve temporary credentials from AWS without needing to store secrets.
In my view its actually a best practice too, to use OopenID roles instead of storing actual credentials.
Add the identity provider fir gitlab in aws
Configure the role and trust
Retrieve a temporary credential
follow this https://docs.gitlab.com/ee/ci/cloud_services/aws/ or a more detailed version https://oblcc.com/blog/configure-openid-connect-for-gitlab-and-aws/

Add collaborator to Alexa-hosted CodeCommit git repository

I used ask init --hosted-skill-id=<skill_id> to pull a local copy of my skill. Running git remote -v shows the repository is hosted on AWS CodeCommit at https://git-codecommit.us-east-1.amazonaws.com/v1/repos/<skill_id>.
I can't see the CodeCommit repository in my AWS account (when logged in as root user). I also can't see any IAM roles listed in my AWS account. I considered logging in as the ask_cli_default profile generated by ask configure but it only has an access key and secret; no password.
Which AWS account holds the Alexa-hosted CodeCommit repositories? Is there any way to grant access to another account?
Other potentially relevant tidbits
Context: Yesterday I created a skill in the Alexa developer console based on a Hello World template. Now I want to share it with a friend so we can develop it together. Ideally we would both be able to push to a shared git repository, build, deploy, and test using the simulator in Alexa developer console.
ask --version = 2.20.0
I can git clone to another local directory using the (generated) username and password from ask util git-credentials-helper.
a question in the AWS forums Alexa Hosted sets up a CodeCommit repository -- unanswered
official AWS docs for setting up cross-account access to CodeCommit -- Requires access to the CodeCommit repository from AWS console. This is where I want to get to.
Alexa Hosted is hosted in Alexa's AWS account, so it won't show up in your AWS account. Instead, it provides you with a unique (and highly constrained) AWS IAM role within the Alexa Hosted account that is tied to your skill and your Amazon developer account.
What you need to do if you want to bring in other developers is assign them Developer roles on your account so they can access the skill and its resources using their own account.
This is the documentation for adding people to your org's developer account: https://developer.amazon.com/docs/app-submission/manage-account-and-permissions.html#add_other_users

Building a nodejs app across multiple AWS accounts

Ok so I have the exact build script to build my nodejs app.
The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.
I have a repo in Account A (Dev) that hosts a nodejs app
I want to be able to create a pipeline in Account B that checks out code from repo in account A
And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)
My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.
My ideas from reading around:
Create IAM roles for the pipeline in Account A which allows to
checkout codecommit repos
Have the pipeline in account B assume the role from account A somehow
It's still not clear to me how to go about doing this; I'm just getting into aws
I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here
From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.
The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.
As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.
This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.
This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.
Good luck!
AWS provide a guide with source that does something close to what you are trying to do.
It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.

How to configure eb cli for team for deployment from more than one user?

I have deployed the django application on aws . I want that application should be deployed by team as well. What is procedure to do this? I have searched a lot and almost spent couple of hours . Anyone has any answer or tutorial?
Can we share these keys ?
aws_access_key_id
aws_secret_access_key
No, the AWS access keys should be kept secret and not even stored under version control.
For deployment (i.e. the credentials needed to actually release the code - used by EB), you should use an aws profile. Add a ~/.aws/credentials file with
[myprofile]
aws_access_key_id=...
aws_secret_access_key=...
and then, on all eb commands use --profile. e.g.
eb create --profile myprofile
If your application requires other AWS services (e.g. RDS, S3, SQS), then you can use the same local profile for development (although I would recommend not requiring any other AWS for testing) by using then environment variable export AWS_PROFILE=myprofile. And then rely on AWS roles and policies for the production environment.
If you feel you need the secret keys as django settings, then consider using https://django-environ.readthedocs.org where you can keep all those secrets on a .env file that gets loaded by django. But again, this file should not be under version control.
You should also create IAM users for every person in your team, so each person has its own credentials, and you can more easily monitor or if needed, revoke credentials.

Continuous deploys on elastic beanstalk

I have everything setup and working with rolling deploys and being able to do git aws.push but how do I add a authorized key to EB server so my CI server can deploy as well?
Since you are using Shippable, I found this guide on Continuous Delivery using Shippable and Amazon Elastic Beanstalk that shows how to set it up on their end. Specifically, step 3 is what you are looking for.
It doesn't look like you need an authorized key, instead, you just need to give an AWS ID and AWS Secret Key that will allow Shippable to make API calls on your behalf. To do this, I recommend creating an IAM role that is specifically for Shippable. That way you can revoke it if you ever need to and only give it the permissions that it needs.