Fetching Private Submodules in AWS Amplify Build

Asked 20/5, 2019 at 10:29 Answered 3/8, 2020 at 21:57

git amazon-web-services git-submodules aws-amplify

I am deploying my app using AWS Amplify. I decided to separate my a part of my app into a submodule. Now, when I build run git submodule update --init --recursive in the build of Amplify, it gives me an access error since it is a private repository and AWS could not access it.

I have two choices, one is using the https to fetch the repo, but it will require me to put my username and password in the submodule. Or figure out a way for AWS to generate an SSH key that I can pair to the submodule SSH access to proceed. I would like to use the latter, but I have no idea how to do it in AWS Amplify.

Caramel answered 20/5, 2019 at 10:29 Comment(0)

It seems one solution would be to generate an SSH key without a passphrase (insecure solution) and then add it as an environment variable in the aws-amplify project:

Generate a ssh key without passphrase:

ssh-keygen -f deploy_key -N ""
Copy the base64 encoded content of your private key cat deploy_key | base64 -w0 into your Amplify project environment variable. Eg. DEPLOY_KEY
Copy the content of your public key cat deploy_key.pub to your ~/.ssh/authorized_keys (depending on your repository provider, Access keys in Repository settings for Bitbucket in our case)

In the preBuild or build section of your amplify.yml add the following :

commands:
        - eval $(ssh-agent -s)
        - ssh-add <(echo "$DEPLOY_KEY" | base64 --decode)

Horthy answered 3/8, 2020 at 21:57 Comment(3)

It seems the clone occurs before the preBuild phase - so the build fails before I can even inject the SSH key – Ausgleich 11/8, 2022 at 9:16

sorry for the late question, but where will I find ~/.ssh/authorized_keys in my repository or in Amplify settings? – Archivolt 13/6, 2023 at 5:54

This no longer seems to be working – Tercel 2/11, 2023 at 11:53

Spoke to AWS about this issue as well, and there is no solution at the moment for the second option.

You could create a separate GitHub user with read-only access to the submodule repo, and add it via HTTPS: https://USERNAME:[email protected]/ACCOUNT/SUBMOUDLE-REPO.git

Bonus: If you would like to push changes to the submodule repo, you can change the origin push URL. Within the submodule directory: git config remote.origin.pushurl [email protected]:ACCOUNT/SUBMODULE-REPO.git

FWIW, Netlify had the same issue a few months ago (not sure if it's still the case), their work-around would be for them to manually generate a deploy key for the submodule repo, but due to GitHub's restrictions this key would only work once - meaning for any other repo/site that needed to use the submodule you would need to go through the process again.

Azelea answered 2/8, 2019 at 9:42 Comment(1)

Thanks for the heads up. I just went and did what you mentioned and created a separate user with read-only access. Also, rather than use submodules, I just created an npm package and just – Caramel 2/8, 2019 at 15:40

Recommended topics

Hot tags