What field can I set in my IAC definition (i.e., codebuild.yaml and/or buildspec.yaml files) to get my AWS CodeBuild process to perform a full git clone?
I have a use case where the last updated dates of each file are employed during the build process, and these dates are not available with a shallow clone.
To get Codebuild clone a CodeCommit repository in a different account (cross-account) within the buildspec.yml you need the CodeBuild service-role to have permission to assume a role in the CodeCommit account, you need that role in the CodeCommit account with permissions to access the related CodeCommit repository and you need to assume the role in the CodeCommit account within the buildspec.yml file before executing git clone.
In detail this looks like the following (Please consider restricting the policies to the actual actions / resources required and dont use *. I just use the wildcards to keep the policies short in the example):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:role/role-in-code-build-account"
},
"Action": "sts:AssumeRole"
}
]
}
CodeBuild account IAM role policy:
Attach the following policy to your CodeBuild service role in the CodeBuild account (grants permission to assume the role in the CodeCommit account)
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::YYYYYYYYYYYY:role/role-in-code-commit-account"
}
],
"Version": "2012-10-17"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
CodeBuild account buildspec.yml:
The buildspec ensures that git-remote-codecommit is available, assumes the role in the CodeCommit account and then clones the repository.
version: 0.2
env:
git-credential-helper: yes
phases:
install:
runtime-versions:
python: 3.8
commands:
- pip install git-remote-codecommit
pre_build:
commands:
- ASSUME_ROLE_ARN="arn:aws:iam::YYYYYYYYYYYY:role/role-in-code-commit-account"
- SERVICE_ROLE=$(aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name <session-name>)
- export SERVICE_ROLE
- export AWS_ACCESS_KEY_ID=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.SessionToken')
- echo "${AWS_ACCESS_KEY_ID}"
- echo "${AWS_SESSION_TOKEN}"
- git clone codecommit::<region>://<codecommit-repo-name>
- ls -lrt
post_build:
commands:
- echo "git clone completed successfully on `date`"
If you are looking to leverage codecommit you can perform the clone by adding the remote clone function:
phases:
install:
commands:
- pip install git-remote-codecommit
pre_build:
commands:
- echo CLONE DIRECTORIES
- git clone codecommit://[repo name] [target folder name]
You will nee to make sure your IAM role has the proper permissions to access Codecommit. If your looking for Github cloning see this link:
https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-github-gitclone.html
I finally figured out how to do the full clone. I posted it in this link here. Check it out I thnk it will give you what you are looking for: Setting credentials for https git clone in AWS CodeBuild
You can set the following in your buildspec.yml which allows you to unshallow your clone.
env:
git-credential-helper: yes
© 2022 - 2024 — McMap. All rights reserved.