[英]Setting up SSH keys for github private repo access on Elastic Beanstalk
My Node.JS project contains references to private NPM repos hosted on github. 我的Node.JS项目包含对github上托管的私有NPM repos的引用。 This works fine locally, but I'm struggling to get this working on Elastic Beanstalk.
这在本地工作正常,但我很难在Elastic Beanstalk上工作。
dependencies: {
...
"express": "^4.12.4",
"jsonwebtoken": "^5.0.5",
"my-private-module": "git@github.com:<my-user>/<my-repo>.git#<my-version>",
...
}
- -
What I need is to be able to set up a working SSH configuration for git on my Elastic Beanstalk instances, without having to store secret keys etc in source control. 我需要的是能够在我的Elastic Beanstalk实例上为git设置一个有效的SSH配置,而不必在源代码控制中存储密钥等。
Obviously, the EB instances do not have the needed SSH keys to access my private github repos. 显然,EB实例没有所需的SSH密钥来访问我的私有github存储库。 If I use HTTPS style git URL's with
username:password@github.com
inlined, it works fine. 如果我使用HTTPS样式的git URL和
username:password@github.com
内联,它可以正常工作。 It also works using the oauth token method offered by github (which is essentially a user:pass). 它也可以使用github提供的oauth令牌方法 (实际上是用户:pass)。 But I do not want any credentials to be checked in to source control, so I'm trying to get cloning from github to work via SSH on my EB instances.
但我不希望任何凭据被签入源代码控制,所以我试图从github克隆到我的EB实例上通过SSH工作。
I've tried a million ways, including npm preinstall
scripts according to this blog post , which used to work until npm2 where a change made preinstall to run after the tree is built, and the PR to fix that issue is still pending. 我已经尝试了一百万种方法,包括根据这篇博客文章的
npm preinstall
脚本,它曾经工作到npm2,其中一个更改使预安装在构建树之后运行,并且修复该问题的PR仍然未决。
I've tried an .ebextensions
commands configuration that tries to call git config
to place an insteadof
on git@github.com into a HTTPS URL with an OAUTH token coming from an environment variable (tricky in itself since env variables aren't set at this time in the startup cycle, and the lack of $HOME makes git config confused). 我已经尝试了一个
.ebextensions
命令配置,它试图调用git config
将一个insteadof
为git@github.com放入一个带有来自环境变量的OAUTH令牌的HTTPS URL(由于env变量未设置为这次在启动周期中,缺少$ HOME会让git配置混乱)。
I've also tried various different ways using .ebextensions
to setup SSH on my EB instances, including this solution from the comments on the mentioned blog post . 我还尝试了各种不同的方法,使用
.ebextensions
在我的EB实例上设置SSH,包括来自上述博客文章评论的解决方案 。 This is basically where I'm stuck now. 这基本上就是我现在被困住的地方。
.ebextensions
files
configuration which copies these two files from my S3 bucket into /tmp/.ssh/
, according to this example .ebextensions
files
配置,它将这两个文件从我的S3存储桶复制到/tmp/.ssh/
,根据这个例子 commands
.ebextensions
configuration which lists /tmp/.ssh and shows that the files were downloaded from S3 successfully: commands
.ebextensions
配置,列出了/tmp/.ssh并显示文件是从S3成功下载的: /tmp/.ssh/config contains: /tmp/.ssh/config包含:
Host github.com
IdentityFile /tmp/.ssh/deploy_key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
/tmp/.ssh/deploy_key contains my private key which is verified to work locally. /tmp/.ssh/deploy_key包含我的私钥,该私钥经过验证可在本地运行。
However, git still throws an error: 但是,git仍然会抛出一个错误:
npm ERR! Command failed: git clone --template=/tmp/.npm/_git-remotes/_templates --mirror ssh://git@github.com/[.....]
npm ERR! Cloning into bare repository '/tmp/.npm/_git-remotes/git-ssh-git-github-com-[...]
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
I am now running out of ideas. 我现在已经没想完了。 My best guess would be that /tmp/.ssh is not the path where git goes to look for the ssh config file - it might have been when the linked solution was proposed but might have changed in later AMI:s etc. The environment used when EB is starting up seems to be a bit limited;
我最好的猜测是/tmp/.ssh不是git去寻找ssh配置文件的路径 - 它可能是在提出链接解决方案但在以后的AMI中可能已经改变的时候:s等。使用的环境当EB启动时似乎有点受限; commands are run as user
nodejs
but /tmp seems to be used as the home directory, even though $HOME is not set anywhere. 命令以用户
nodejs
运行,但/ tmp似乎用nodejs
目录,即使$ HOME未在任何地方设置。
How can I get git to pick up my SSH config, and consequently use my SSH key? 我如何获取git来获取我的SSH配置,从而使用我的SSH密钥? How can I find out where git looks for a SSH config file?
我怎样才能找到git查找SSH配置文件的位置? Normally it's in ~/.ssh, but since $HOME is not set, well... This should be easy but is driving me nuts.
通常它在〜/ .ssh,但由于$ HOME没有设置好,所以......这应该很容易但是让我疯了。
After a full day's struggle and finally stumbling over this answer to a very similar question I had previously missed, it turns out the correct place to put ssh keys in order to be picked up by git on EB is in /root/.ssh
, not /tmp/.ssh
, not /home/ec2-user/.ssh
. 经过一整天的挣扎,终于磕磕绊绊地回答了我之前错过的一个非常相似的问题,结果是正确的地方放置ssh键以便被EB上的git拾取在
/root/.ssh
, 而不是 /tmp/.ssh
, 而不是 /home/ec2-user/.ssh
。
My final configuration (assuming there's a private SSH key located in a S3 bucket at <my-bucket>/github-eb-key
, and the corresponding public key is registered with a github user having access to the repo(s)), using an AMI configured as 64bit Amazon Linux 2016.09 v3.3.0 running Node.js
, and with the following in .ebextensions/01_ssh_setup.config
: 我的最终配置(假设在
<my-bucket>/github-eb-key
的S3存储桶中有一个私有SSH密钥,并且相应的公钥是通过访问存储库的github用户注册的),使用AMI配置为64bit Amazon Linux 2016.09 v3.3.0 running Node.js
,以及.ebextensions/01_ssh_setup.config
的以下.ebextensions/01_ssh_setup.config
:
Resources:
AWSEBAutoScalingGroup:
Metadata:
? "AWS::CloudFormation::Authentication"
:
S3Auth:
buckets:
- <my-bucket>
roleName:
? "Fn::GetOptionSetting"
:
DefaultValue: aws-elasticbeanstalk-ec2-role
Namespace: "aws:asg:launchconfiguration"
OptionName: IamInstanceProfile
type: s3
files:
/root/.ssh/github-eb-key:
authentication: S3Auth
mode: "000600"
owner: root
group: root
source: "https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key"
/root/.ssh/config:
mode: "000600"
owner: root
group: root
content: |
Host github.com
IdentityFile /root/.ssh/github-eb-key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.