6

We have 2 reports

  1. Repo 1
  2. Repo 2

Inside Repo 1 > package.json there is a dependency

"dependencies": {
    "repo-2": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/"
}

Then, inside CodeBuild for "repo-1", we have the following buildspec

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 10
    commands:
      - mkdir -p ./deploy
  build:
    commands:
      - echo "Server copy START $(date)"
      - cp -r ./index.js ./deploy/index.js
      - cp -r ./package.json ./deploy/package.json
      - cp -r ./buildspec.yml ./deploy/buildspec.yml
      - echo "Server copy END $(date)"
      - echo "Server npm install START $(date)"
      - cd ./deploy && npm install --production
      - echo "Server npm install END $(date)"
  post_build:
    commands:
artifacts:
  files:
        - '**/*'
  base-directory: 'deploy'

The error CodeBuild throws is the following

npm ERR! fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/': The requested URL returned error: 403

Basically, the question is: Can I use CodeCommit repo as npm dependency and what is the proper way to do it?

Try #1

I tried to add this (and similar variations) but no success https://medium.com/@ngchiwang/aws-npm-install-private-codecommit-module-8512c3203c37

#Try 2

I also tried to change the dependency URL to this

"repo-2": "git://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2"

But gettings the following error

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fatal: unable to connect to git-codecommit.us-east-1.amazonaws.com: 
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: git-codecommit.us-east-1.amazonaws.com[0: 52.94.233.146]: errno=Connection refused
Andrej Kaurin
  • 11,592
  • 13
  • 46
  • 54
  • 403 is “Forbidden”. Your CodeBuild role needs permission to access the repo. – hephalump Aug 29 '19 at 11:57
  • 1
    CodeBuild assigned role has access to the repo. – Andrej Kaurin Aug 29 '19 at 12:01
  • My fault @AndrejKaurin, its actually an NPM error; have you configured your NPM credentials inside the CodeBuild environment? You need to login to NPM so you can access the private package. – hephalump Aug 29 '19 at 12:07
  • 1
    But the private package is on CodeCommit. – Andrej Kaurin Aug 29 '19 at 15:00
  • Sorry @Andrej Kaurin, it was early and I was reading on my phone while in transit. You're basically trying to do this: `npm install git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/`. Try changing the dependency to `"repo-2": "git://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/"` which should solve it. Also, I noticed that you're passing the `--production` flag with your `npm install` but you've shown the repo as a devDependency... devDependencies should not be being installed if you pass the production flag, so this may be part of the issue. – hephalump Aug 29 '19 at 20:00
  • 1
    I am using "dependencies", but posted "devDependencies" by mistake. Tried your suggestion but no success. I updated the question with the error. – Andrej Kaurin Aug 30 '19 at 00:30

3 Answers3

8

I ran into this same issue today and got it working by enabling git-credential-helper in the env section of the buildspec file.

Example:

version: 0.2
env:
  git-credential-helper: yes
phases:
  install:
    runtime-versions:
      nodejs: 10
    commands:
      - npm install
  build:
    commands:
      - npm run build

This combined with CodeCommit privileges in the policy (that you said you already have) results in working builds with private npm packages from CodeCommit.

Covalence
  • 130
  • 7
  • 1
    This was the last piece of the puzzle for me. I had to do the following: 1. Have the dependency defined in package.json as git+https://... 2. Give the CodeBuild role CodeCommit read access 3. This comment – Alex Koutmos Sep 24 '19 at 15:29
  • 1
    This fix my issue as well. with this line `git-credential-helper: yes` codebuild can use access token in config to install private repo – Allloush Mar 02 '20 at 07:11
2

I had a similar issue last week so will share the solution recommended for Amazon Team.

The better approach for this would be to set "git-credential-helper" to yes [1] in the env section of your buildspec file and then can use https to access the repository. Please refer the below BuildSpec example for the same.

================Buildspec Snippet=================

version: 0.2

env:
    git-credential-helper: yes

phases:
    pre_build:
        commands:
        - /usr/bin/git ls-remote -h -t https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/

================Buildspec Snippet=================

Also, please make sure you have provided the required permissions to access CodeCommit repository in the CodeBuild IAM Role. I am providing sample IAM policies below for the same which you can refer to provide permissions depending on your use-case:

===========IAM Policy example=============

   {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "codecommit:GetRepository",
                    "codecommit:GitPull",
                    "codecommit:GetFolder"
                ],
                "Resource": "arn:aws:codecommit:us-east-1:<put repo Name or *>"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "codecommit:ListRepositories",
                "Resource": "*"
            }
        ]
    }

===========IAM Policy example=============

Please check if the above approach helps in achieving your use-case.

Kindly note that the above buildspec snippet is just an example to explain how you can access the CodeCommit repo, and it needs to be modified as per your requirement. For example, you can describe your repository dependency in package.json like below which I assume you are already doing and run npm install through your buildspec file in codebuild.

"dependencies": {
    "my-npm": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/<repo name>"
},
Willian
  • 3,011
  • 1
  • 15
  • 38
0

Try using your private AWS CodeCommit repo as your npm module using following commands:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
git config --global url."ssh://".insteadOf https://
npm install --save git+https://<your_repo_url>#master

If you want to use npm dependency instead, check out the answers on a similar question here: npm install private github repositories by dependency in package.json

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66