I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.
All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.
I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?
The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.
AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.
git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $#'
For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:
git config --global credential.helper '!aws --profile saml codecommit credential-helper $#'
For OSX
Install git and AWS cli
Configure AWS cli credentials:
aws configure
Setup the my-profile profile that contains a role to be assumed by modifying your ~/.aws/credentials file. Note that an admin should create this role in the AWS account that owns the CodeCommit repos and the role should put your account as a trustee and have enough CodeCommit permissions
[my-profile]
role_arn = ARN_OF_THE_ROLE_TO_BE_ASSUMED
source_profile = default
Double check your region config in ~/.aws/config :
[default]
region = us-east-1
Configure git to use AWS CLI profile during clone/push/pull/etc... operations. Note the use of my-profile as the profile name to use which in turn is assuming a role as we already discuss
git config --global credential.helper '!aws --profile "my-profile" codecommit credential-helper $#'
git config --global credential.UseHttpPath true
You should be able to perform git operations against CodeCommit repos belonging to the AWS parent account using http endpoints
Related
I am following https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-1/
and facing an issue when trying to clone the repo "wildrydes-site" I just created in CodeCommit.
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/wildrydes-site
Cloning into 'wildrydes-site_new'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/wildrydes-site/': The requested URL returned error: 403"
Make sure your IAM user or role being used has codecommit:GitPull permissions or you can attach the managed policy AWSCodeCommitPowerUser to provide more wider codecommit access.
Approach 1 for IAM Users using Git Credentials
You need to setup IAM credentials like they mentioned in point 'e'. Follow the instructions here to generate codecommit credentials for your IAM User.
The generated credentials will have a username and password with the username in the format <your-iam-username>-at-<account id>. Make sure to copy the password or download the credentials file. Use these username and password values when you run git clone command.
Approach 2 for IAM roles or users.
You need to configure your IAM user aws credentials locally using aws configure or If you are using roles, you need to run aws sts assume-role --role-arn <role-arn> to assume the role after aws configure and generate the temporary credentials which you can export to your environment.
Once the aws credentials configuration is done, you can run below commands to use AWS CLI as your credential helper.
git config --global credential.helper '!aws codecommit credential-helper $#'
git config --global credential.UseHttpPath true
Run your git clone after running above commands. That should fix your issue too.
I am running a cdk deploy build on circleCi, and when the step CDK deploy comes it gives me "Need to perform AWS calls for account ************, but no credentials have been configured".
But for the troubleshooting i tried other commands as well like
aws s3 ls
aws aws cloudformation list-stacks
These above commands we working fine, also able to run command to create a cloudformation with same config but not able to run cdk deploy. the access key and secret i am using has Admin access.
Set the creds with a profile name using aws-cli Orb in CircleCI and
try using the below command to deploy with CDK
cdk deploy --all --profile cdkprofile
For reference, in CircleCI
orbs:
aws-cli: circleci/aws-cli#2.0.3
commands:
env-setup:
description: AWS Env Setup
steps:
- aws-cli/setup:
profile-name: cdkprofile
aws-access-key-id: AWS_ACCESS_KEY_ID
aws-secret-access-key: AWS_SECRET_ACCESS_KEY
And assumption is AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set as CircleCI env variables
As a starting note: The best way to troubleshoot is with cdk [command] --verbose (see CLI ref)
CDK has an internal mechanism for finding credentials not directly using AWS CLI (AWS CLI is not a requirement for CDK to run)
In a similar situation with a CI tool, the issue was simply that the ~/.aws/credentials file did not exist (not that you need it with AWS CLI, but in the situation for CDK, it was required)
Credit to this issue reporting: https://github.com/aws/aws-cdk/issues/6947#issue-586402006
Solution tested for above:
For an EC2 running CI tool, with EC2 IAM role
Where ~/.aws/config exists and defined profile(s) with:
credential_source = Ec2InstanceMetadata
role_arn = arn:aws:iam:::role/role-to-assume-in-acctId
Create empty ~/.aws/credentials file
Example error for the problem solved above (from verbose output)
Resolving default credentials
Notices refreshed
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile myprofile did not include credential process
Other causes found in other issues/comments could relate to:
Duplicate profiles
Having credential_process in the profile, set to empty
Needing --profile parameter to be added
I cannot seem to get my AWS provider to use my AWS credentials in the Docker Containers
I have ran all of these so far
serverless config credentials --provider provider --key key --secret secret
&
aws configure
☝️ ran through the prompts and plugged in my info
&
export AWS_ACCESS_KEY_ID=blah
export AWS_SECRET_ACCESS_KEY=blah
export AWS_DEFAULT_REGION=east-whatever
But still, get stopped by AWS
ServerlessError: AWS provider credentials not found. Learn how to set up AWS provider credentials in our docs here:.
I have also generated and regenerated my IAM creds multipule time, also whne I run aws configure list it returns
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************67GT shared-credentials-file
secret_key ****************6glt shared-credentials-file
region us-east-2 config-file ~/.aws/config
I am not sure what else to do, I am on Ubuntu 20.04 using Bash
I will take approach of setting everything using aws-cli ( hence aws cli installation is imp)
install aws cli
run aws configure -> enter your creds, this info will be stored in profile called default in ~/.aws/credentials file. docs.
verify your configuration by checking ~/.aws/config ~/.aws.credentials file
for serverless frame work deployment use this serverless deploy.
if mutiple profiles needs to be used use sls deploy --aws-profile profile-name
I have configured serverless with key and secret.
When i try to run serverless deploy it says:
ServerlessError: AWS provider credentials not found. Learn how to set up AWS provider credentials in our docs here:.
Please help me what to do
This is how to setup AWS credentials on the local:
Sign in to AWS console
Go to your AWS account overview
Account menu in the upper-right (has your name on it)
sub-menu: Security Credentials
Copy <Access Key ID>
Copy <Secret Access Key>
Run on local serverless config credentials --provider aws --key <Access Key ID> --secret <Secret Access Key>
You can set up your serverless credentials by using the serverless config credentials command, with --provider aws and using --key and --secret to set your AWS Access Key ID and Secret Access Key, respectively.
See the Serverless AWS - Config Credentials documentation for Serverless specifics, and this AWS document on security credentials in case you need to figure out what your credentials are.
Also give your profile and region configuration in your yml file
provider:
name: aws
runtime: python2.7
lambdaHashingVersion: 20201221
profile: 'serverless-admin'
region: 'us-east-1'
I had the same problem. I try everything. I configure my credentials (AWS key and secret) with both aws cli and serverless cli but still got that same error when I run:
sls deploy -v
I was using CMD before then I realize something when I run the command
aws configure list
the output is
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************SOU5 shared-credentials-file
secret_key ****************Cki5 shared-credentials-file
region eu-west-1 config-file ~/.aws/config
the path of the config file is
~/.aws/config
and CMD don't know what ~/ PATH IS but Bash does know
😈
then I run the
sls deploy -v
on bash terminal and it worked 🎉🙌🙌🎉🐱🏍
For those who has the same problem, even when already configured the AWS credentials for serverless, by running the command serverless config credentials:
I had the same problem; even when I had set up properly my AWS credentials on serverless, when I run the serverless deploy command, I got this: ServerlessError: AWS provider credentials not found.
How did I solved it? By installing and configuring the AWS CLI Tool. Once I installed it and configured it with my AWS credentials, and then run again the serverless deploy command, it just works fine.
I guess the serverless command, behind the scenes, uses the AWS CLI to access AWS and provision the AWS resources.
I hope this could be helpful for someone.
I am new to Amazon Web Services world, and I am implementing Continuous Delivery to the company I work for.
I followed AWS's [instructions to configure CodeCommit Service] (http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-windows.html#setting-up-https-windows-account)
Step 1: Initial Configuration for AWS CodeCommit
To create and configure an IAM user for accessing AWS CodeCommit:
I created a new IAM user and gave him AWSCodeCommitFullAccess
To install and configure the AWS CLI :
I installed and configured the credentials doing aws configure.
Setting AWS Access Key ID, AWS Secret Access Key, Default region name to us-east-1 and de
Step 2: Install Git
I installed Git For Windows making sure the Enable Git Credential Manager option was cleared.
Step 3: Set Up the Credential Helper
git config --global credential.helper "!aws codecommit credential-helper $#"
git config --global credential.UseHttpPath true
Executing:
git config --global --edit
My Configuration is:
[http]
sslVerify = false
[credential]<br>
helper = "aws codecommit list-repositories codecommit credential-helper "
UseHttpPath = true
Step 4: Connect to the AWS CodeCommit Console and Clone the Repository
$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3<br>
Cloning into 'teste-git-to-s3'...<br>
git: 'credential-aws' is not a git command. See 'git --help'.<br>
Username for 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3': Lucas<br>
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/teste-git-to-s3/': The requested URL returned error: 403
Looking for AWS troubleshooting, I found: Troubleshooting AWS CodeCommit but I couldn't solve it.
How can this be solved?
I think the issue is in your .gitconfig file. Change it to below and it should work.
[credential]
helper = !aws codecommit credential-helper $#
UseHttpPath = true
By the way, if you are using a Bash emulator instead of the Windows command line, you must use single quotes instead of double quotes.
Let me know if this doesn't work.
If you are using cygwin, after you created the repository, click the connect info button, select linux instead of windows, it works on mine.
I experienced this problem with Python 3.8.x - make sure you are using Python 3.7.x instead, as shown in the docs