1

I have a CodeCommit REPO1 in AWS account 1111. I need to clone REPO1 in EC2 instances that will be launched and terminate on a regular basis in AWS account 2222. The EC2's are launched to perform some batch jobs for a short period (minutes), then are terminated in automated manner.

Without generating static credentials, how can I use roles to launch EC2 instances in 2222, clone REPO1 from 1111. The process must be automated using bash/CLI.

I have been banging my head against my desk for a couple of days now to no avail.

Mike A
  • 21
  • 6
  • What have you tried so far? Suggest you attach that to the question. – Rodrigo Murillo Jan 15 '18 at 23:14
  • Unfortunately, I did not keep a log. Even then, I am open to trying again the same things. I might have been thwarted by a typo or something trivial. it's often the case with policies and roles and arns. – Mike A Jan 15 '18 at 23:21
  • Add the cross account policy and Trust relationships information to your question. These items are the first two tabs on the IAM Roles console. Most likely you forgot to setup "Trust relationships". – John Hanley Jan 15 '18 at 23:25

1 Answers1

6

You need to create a role (R1) in account 1111 that:

  • Trusts account 2222 to assume it
  • Has the necessary permissions to access the repository REPO1

Then you need to make sure that the instance role for your EC2 instance has AssumeRole permissions. This allows you to assume R1 from within your EC2 instance.

Now, within your EC2 instance in account 2222, you should set a profile that accesses REPO1 through the role. You can do so by adding something that looks similar to the following to your ~/.aws/config file:

[profile cross-account-role]
role_arn = arn:aws:iam::<1111>:role/<R1>
credential_source = Ec2InstanceMetadata
external_id = <ExternalId of R1>
output = json
region = <Region where REPO1 is>

You then want to confirm whether you've set your permissions correctly, you can do:

aws --profile cross-account-role get-repository --repository-name REPO1

Once this works, you want to configure the git client to use the credential-helper with the correct profile, in your ~/.gitconfig by running:

git config --global credential.helper '!aws codecommit --profile cross-account-role credential-helper $@'
git config --global credential.UseHttpPath true
Yilun Cui
  • 206
  • 1
  • 4
  • 1
    Thank you Yilun. When I follow steps, I keep getting "Partial credentials found in assume-role, missing: 'source_profile'" – Mike A Jan 16 '18 at 00:28
  • @MikeA what version of the CLI are you running on your EC2 instance? Mine says: aws --version aws-cli/1.11.170 Python/2.7.11 Darwin/16.7.0 botocore/1.8.25 – Yilun Cui Jan 16 '18 at 01:42
  • @MikeA, credential_source = Ec2InstanceMetadata should have been added to botocore >= 1.80. Here is the github reference: https://github.com/boto/botocore/pull/1313/commits/e0875fd7efe2cc7d0d12005c398d65ee767bb38b – Yilun Cui Jan 16 '18 at 01:48