For Github Organiation repo, each of aws accounts should have their own repositories visible in the GitHub organization. So each account will have their bubble of access Github repositories.
(GitHub can only have 1 “AWS Connector for GitHub” apps in GitHub org, which is not possible to configure the difference repo access for different account from adding more Connector app in GitHub. The installation is reusable for creating multiple connections in the same/different AWS accounts.)
Architecture:
Note:
Account could have multiple UAT connections which associated with different GitHub-users.
Each UAT connection can only connect to 1 GitHub User
The process outlined above is specific to Account A. Nevertheless, you can follow the same process for Account B, enabling you to create multiple GitHub user access token connections with different GitHub users within Account B, as per your requirements.
Scenario:
The repositories available to Account A within the GitHub organization are dictated by the GitHub user account employed for establishing the connection.
Each AWS account to have its own isolated set of GitHub repositories.
GitHub User 1: Admin access to repo 1 & repo 2 only
Github User 2: Admin access to repo 3 & repo 4 only
Github User 3: Admin access to repo 5 & repo 6 only
(The access permissions are not limited to the admin access; You can grant other types of permissions for repositories, such as read/write/maintain/triage.)
Resolution:
This multi-tenant access control can be achieved by UAT (User Access Token) connection because the connection’s permission is scoped by the user that created the connection.
A user access token only has permissions that both the user and the app have. For example, if the app was granted permission to write the contents of a repository, but the user can only read the contents, then the user access token can only read the contents. [1]
Prerequisite:
-
GitHub user accounts are required, as the access permissions for repositories are configured at the GitHub account level, not the AWS account level.
-
Have a GitHub organization in your Admin GitHub account as the owner.
-
Make sure the GitHub Organization has GitHub Apps "AWS Connector for GitHub" installed. If no, please follow this document [2] to make a connection.
For Account A with User-1 access:
-
Step 1: As GitHub organization Admin, invite the GitHub "User-1" into the Organization. After added "GitHub User-1" into the organization. The user can be either Owner or Member of the Org. Owner has Admin access for all repositories in the Org. Member does not have all the repositories access in the Org.
-
Step 2: Managing the user with access to the repository:
Following the GitHub documentation[3], you can configure GitHub user permissions for repositories.
Specially, select the organization repository "repo-1" --> Settings --> Access --> Collaborators and teams --> Add people --> Select user with admin (you can choose read/wirte/others) --> Add. Same for repository "repo-2".
- Step 3:
Change the membership of "User-1" from "Admin" to "Member". If "User-1" is already Member, please ignore this steps, go to step 4.
For AWS CodeBuild
- Step 4:
Establish a new connection with GitHub by utilizing the GitHub User Access Token (UAT) connection method. To create a UAT connection, simply leave the app installation field blank during the connection setup [4]. Throughout this process, you will be required to log in to your GitHub ”User-1“ account.
Then, the multi-tenant access control can be achieved, as the connection's permissions are scoped and restricted to the user "User-1" who created the connection.
Subsequently, upon selecting the established connection and reviewing the repository list, you will observe that only repo-1 and repo-2 are visible and listed.
- Step 5:
Replicate the process from Step 1 through Step 4 for User-2 and User-3.
Also a few reminders/notes about using GitHub UAT connections:
The AWS Connector for GitHub application installation is still required, as the permissions granted are the intersection of the user's permissions and the application's permissions. Utilizing a single user access token for multiple concurrent CodeBuild projects is not advisable. To ensure proper access control and isolation, it is recommended to create dedicated user access tokens for each individual CodeBuild project.
References:
[1] https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app#about-user-access-tokens
[2] https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html
[3] https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-teams-and-people-with-access-to-your-repository
[4] https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html#connections-create-github-console