堆栈内存溢出
  简体   繁体   English

AWS仅使用角色即可对CodeCommit存储库进行跨帐户访问(无静态凭证)

[英]AWS cross account access to CodeCommit repo with roles only (no static credentials)

 原文  2018-01-15 23:01:53       git/ amazon-web-services/ amazon-ec2/ aws-cli/ aws-codecommit

问题描述

I have a CodeCommit REPO1 in AWS account 1111. I need to clone REPO1 in EC2 instances that will be launched and terminate on a regular basis in AWS account 2222. The EC2's are launched to perform some batch jobs for a short period (minutes), then are terminated in automated manner. 我在AWS帐户1111中有一个CodeCommit REPO1。我需要在EC2实例中克隆REPO1,该实例将在AWS帐户2222中启动并定期终止。启动EC2是为了在短时间内(几分钟)执行一些批处理作业,然后以自动方式终止。

Without generating static credentials, how can I use roles to launch EC2 instances in 2222, clone REPO1 from 1111. The process must be automated using bash/CLI. 在不生成静态证书的情况下,我如何使用角色在2222中启动EC2实例,从1111克隆REPO1。必须使用bash / CLI使该过程自动化。

I have been banging my head against my desk for a couple of days now to no avail. 几天来,我一直把头撞在桌子上,无济于事。

1 个解决方案

解决方案1
 5  2018-01-15 23:45:47

You need to create a role (R1) in account 1111 that: 您需要在帐户1111中创建一个角色(R1):

  • Trusts account 2222 to assume it 信托帐户2222承担该费用
  • Has the necessary permissions to access the repository REPO1 具有访问存储库REPO1的必要权限

Then you need to make sure that the instance role for your EC2 instance has AssumeRole permissions. 然后,您需要确保EC2实例的实例角色具有AssumeRole权限。 This allows you to assume R1 from within your EC2 instance. 这使您可以从EC2实例中假设R1。

Now, within your EC2 instance in account 2222, you should set a profile that accesses REPO1 through the role. 现在,在帐户2222中的EC2实例中,您应该设置一个通过角色访问REPO1的配置文件。 You can do so by adding something that looks similar to the following to your ~/.aws/config file: 为此,您可以在〜/ .aws / config文件中添加类似于以下内容的内容: 

[profile cross-account-role]
role_arn = arn:aws:iam::<1111>:role/<R1>
credential_source = Ec2InstanceMetadata
external_id = <ExternalId of R1>
output = json
region = <Region where REPO1 is>

You then want to confirm whether you've set your permissions correctly, you can do: 然后,您要确认是否正确设置了权限,可以执行以下操作: 

aws --profile cross-account-role get-repository --repository-name REPO1

Once this works, you want to configure the git client to use the credential-helper with the correct profile, in your ~/.gitconfig by running: 一旦完成,您要配置git客户端,使其在~/.gitconfig通过正确的配置文件使用credential-helper, ~/.gitconfig是运行: 

git config --global credential.helper '!aws codecommit --profile cross-account-role credential-helper $@'
git config --global credential.UseHttpPath true

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 IAM 阻止访问 AWS CodeCommit 存储库 - IAM blocks access to AWS CodeCommit repo 为 AWS CodeCommit 生成 HTTPS Git 凭证:AWS 编程访问 - Generate HTTPS Git credentials for AWS CodeCommit: AWS Programmatic access 从一台计算机访问不同的 AWS 账户 CodeCommit 存储库 - Access different AWS account CodeCommit repositories from one computer 将Jenkins连接到AWS CodeCommit存储库 - Connecting Jenkins to AWS CodeCommit Repo 适用于CodeCommit回购同步的AWS Lambda - AWS Lambda for CodeCommit repo sync aws codecommit 未提供凭据提示 - aws codecommit not giving credentials prompt AWS Codecommit无法使用Git凭证使用HTTPS协议连接到第二仓库 - AWS codecommit can't connect to 2nd repo with HTTPS protocol using Git Credentials 如何使用IAM访问ID和密钥对AWS CodeCommit git repo进行身份验证? - How to authenticate against AWS CodeCommit git repo with IAM access id and secret key? 通过HTTP克隆AWS Codecommit存储库 - clone AWS codecommit repo via HTTP 将Git Repo直接镜像到AWS CodeCommit - Mirror a Git Repo directly to AWS CodeCommit
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM