堆栈内存溢出
  简体   繁体   English

在Elastic Beanstalk上为github私有repo访问设置SSH密钥

[英]Setting up SSH keys for github private repo access on Elastic Beanstalk

 原文  2017-04-19 13:48:31       node.js/ git/ ssh/ elastic-beanstalk/ ebextensions

问题描述

My Node.JS project contains references to private NPM repos hosted on github. 我的Node.JS项目包含对github上托管的私有NPM repos的引用。 This works fine locally, but I'm struggling to get this working on Elastic Beanstalk. 这在本地工作正常,但我很难在Elastic Beanstalk上工作。 

dependencies: {
  ...
  "express": "^4.12.4",
  "jsonwebtoken": "^5.0.5",
  "my-private-module": "git@github.com:<my-user>/<my-repo>.git#<my-version>",
  ...
}

- -

What I need is to be able to set up a working SSH configuration for git on my Elastic Beanstalk instances, without having to store secret keys etc in source control. 我需要的是能够在我的Elastic Beanstalk实例上为git设置一个有效的SSH配置,而不必在源代码控制中存储密钥等。

Obviously, the EB instances do not have the needed SSH keys to access my private github repos. 显然,EB实例没有所需的SSH密钥来访问我的私有github存储库。 If I use HTTPS style git URL's with username:password@github.com inlined, it works fine. 如果我使用HTTPS样式的git URL和username:password@github.com内联,它可以正常工作。 It also works using the oauth token method offered by github (which is essentially a user:pass). 它也可以使用github提供的oauth令牌方法 (实际上是用户:pass)。 But I do not want any credentials to be checked in to source control, so I'm trying to get cloning from github to work via SSH on my EB instances. 但我不希望任何凭据被签入源代码控制,所以我试图从github克隆到我的EB实例上通过SSH工作。

I've tried a million ways, including npm preinstall scripts according to this blog post , which used to work until npm2 where a change made preinstall to run after the tree is built, and the PR to fix that issue is still pending. 我已经尝试了一百万种方法,包括根据这篇博客文章的 npm preinstall脚本,它曾经工作到npm2,其中一个更改使预安装在构建树之后运行,并且修复该问题的PR仍然未决。

I've tried an .ebextensions commands configuration that tries to call git config to place an insteadof on git@github.com into a HTTPS URL with an OAUTH token coming from an environment variable (tricky in itself since env variables aren't set at this time in the startup cycle, and the lack of $HOME makes git config confused). 我已经尝试了一个.ebextensions命令配置,它试图调用git config将一个insteadof为git@github.com放入一个带有来自环境变量的OAUTH令牌的HTTPS URL(由于env变量未设置为这次在启动周期中,缺少$ HOME会让git配置混乱)。

I've also tried various different ways using .ebextensions to setup SSH on my EB instances, including this solution from the comments on the mentioned blog post . 我还尝试了各种不同的方法,使用.ebextensions在我的EB实例上设置SSH,包括来自上述博客文章评论的解决方案 This is basically where I'm stuck now. 这基本上就是我现在被困住的地方。

  • I have successfully created a key pair, set it up on my github profile, and verified that the private key is usable from my local client to clone my repo 我已经成功创建了一个密钥对,在我的github配置文件中设置它,并验证私钥可以从我的本地客户端使用来克隆我的repo
  • I have put my private key and a ssh config file on a private S3 bucket 我已将私钥和ssh配置文件放在私有S3存储桶上
  • I've created an .ebextensions files configuration which copies these two files from my S3 bucket into /tmp/.ssh/ , according to this example 我已经创建了一个.ebextensions files配置,它将这两个文件从我的S3存储桶复制到/tmp/.ssh/ ,根据这个例子
  • I've created a debug commands .ebextensions configuration which lists /tmp/.ssh and shows that the files were downloaded from S3 successfully: 我已经创建了一个调试commands .ebextensions配置,列出了/tmp/.ssh并显示文件是从S3成功下载的:

/tmp/.ssh/config contains: /tmp/.ssh/config包含: 

Host github.com
    IdentityFile /tmp/.ssh/deploy_key
    IdentitiesOnly yes
    UserKnownHostsFile=/dev/null
    StrictHostKeyChecking no

/tmp/.ssh/deploy_key contains my private key which is verified to work locally. /tmp/.ssh/deploy_key包含我的私钥,该私钥经过验证可在本地运行。

However, git still throws an error: 但是,git仍然会抛出一个错误: 

npm ERR! Command failed: git clone --template=/tmp/.npm/_git-remotes/_templates --mirror ssh://git@github.com/[.....]
npm ERR! Cloning into bare repository '/tmp/.npm/_git-remotes/git-ssh-git-github-com-[...]
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.

I am now running out of ideas. 我现在已经没想完了。 My best guess would be that /tmp/.ssh is not the path where git goes to look for the ssh config file - it might have been when the linked solution was proposed but might have changed in later AMI:s etc. The environment used when EB is starting up seems to be a bit limited; 我最好的猜测是/tmp/.ssh不是git去寻找ssh配置文件的路径 - 它可能是在提出链接解决方案但在以后的AMI中可能已经改变的时候:s等。使用的环境当EB启动时似乎有点受限; commands are run as user nodejs but /tmp seems to be used as the home directory, even though $HOME is not set anywhere. 命令以用户nodejs运行,但/ tmp似乎用nodejs目录,即使$ HOME未在任何地方设置。

How can I get git to pick up my SSH config, and consequently use my SSH key? 我如何获取git来获取我的SSH配置,从而使用我的SSH密钥? How can I find out where git looks for a SSH config file? 我怎样才能找到git查找SSH配置文件的位置? Normally it's in ~/.ssh, but since $HOME is not set, well... This should be easy but is driving me nuts. 通常它在〜/ .ssh,但由于$ HOME没有设置好,所以......这应该很容易但是让我疯了。

1 个解决方案

解决方案1
 12 已采纳  2017-04-19 21:37:47

After a full day's struggle and finally stumbling over this answer to a very similar question I had previously missed, it turns out the correct place to put ssh keys in order to be picked up by git on EB is in /root/.ssh , not /tmp/.ssh , not /home/ec2-user/.ssh . 经过一整天的挣扎,终于磕磕绊绊地回答了我之前错过的一个非常相似的问题,结果是正确的地方放置ssh键以便被EB上的git拾取在/root/.ssh而不是 /tmp/.ssh而不是 /home/ec2-user/.ssh

My final configuration (assuming there's a private SSH key located in a S3 bucket at <my-bucket>/github-eb-key , and the corresponding public key is registered with a github user having access to the repo(s)), using an AMI configured as 64bit Amazon Linux 2016.09 v3.3.0 running Node.js , and with the following in .ebextensions/01_ssh_setup.config : 我的最终配置(假设在<my-bucket>/github-eb-key的S3存储桶中有一个私有SSH密钥,并且相应的公钥是通过访问存储库的github用户注册的),使用AMI配置为64bit Amazon Linux 2016.09 v3.3.0 running Node.js ,以及.ebextensions/01_ssh_setup.config的以下.ebextensions/01_ssh_setup.config 

Resources: 
  AWSEBAutoScalingGroup: 
    Metadata: 
      ? "AWS::CloudFormation::Authentication"
      : 
        S3Auth: 
          buckets: 
            - <my-bucket>
          roleName: 
            ? "Fn::GetOptionSetting"
            : 
              DefaultValue: aws-elasticbeanstalk-ec2-role
              Namespace: "aws:asg:launchconfiguration"
              OptionName: IamInstanceProfile
          type: s3
files: 
  /root/.ssh/github-eb-key: 
    authentication: S3Auth
    mode: "000600"
    owner: root
    group: root
    source: "https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key"
  /root/.ssh/config: 
    mode: "000600"
    owner: root
    group: root
    content: |
      Host github.com
        IdentityFile /root/.ssh/github-eb-key
        IdentitiesOnly yes
        UserKnownHostsFile=/dev/null
        StrictHostKeyChecking no

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 npm 安装没有选择正确的 ssh 密钥并且无法通过 ssh 安装私人仓库 - npm install not picking up the correct ssh keys and unable to install private repo via ssh 可访问私有仓库的 GitHub 操作 - GitHub action with access to private repo Elastic Beanstalk访问本地磁盘 - Elastic Beanstalk access to local disk 在 AWS Elastic beanstalk 上解析 firebase 私钥 - Parsing the firebase private key on AWS Elastic beanstalk 如何在 Elastic Beanstalk 上使用私有 npm 注册表? - How to use a private npm registry on Elastic Beanstalk? npm 安装私有 github repo github 操作 - npm install private github repo github actions AWS API Gateway-Elastic Beanstalk-受限访问 - AWS API Gateway - Elastic Beanstalk - Restricted Access 使用 GCloud KMS 生成加密密钥以访问私有存储库作为依赖项时出错 - Getting error while generating crypto keys using GCloud KMS to access private repo as dependency 从Github存储库在生产服务器上设置Node.js应用程序时出现问题 - Trouble setting up Node.js application on production server from Github repo github 操作:拉取私有仓库并将其部署到 VPS - github actions: pull and deploy private repo to VPS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM