How to give ElasticBeanstalk access to AWS CodeCommit

Question

I am deploying a Flask application to ElasticBeanstalk. One of the dependencies of this application is a package that should be installed from a CodeCommit git repository.

Locally, I have successfully set up SSH to connect to the CodeCommit repo to pip install and push code. I have added the package to requirements.txt , and locally this installs fine with pip .

The question is, how should I configure EBS to have SSH access to this repo?

I see the IAM role used by EBS is aws-elasticbeanstalk-ec2-role . I attached the AWSCodeCommitReadOnly policy to this role, but to no avail.

In the eb-activity.log it gives an SSH error when trying to get the package from CodeCommit:

Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

How should I configure access to AWS CodeCommit from EBS?

Answer 1

My suggestion would be to use HTTPS instead of SSH to access your AWS CodeCommit repository. Your instances already have permission through the role and policy you have set up and the AWS CLI available. All you would need to do is run the commands that configure the git-credential helper:

git config --global credential.helper '!aws --profile default codecommit credential-helper $@'

git config --global credential.UseHttpPath true

Hope that helps!