Build and Deploy source from git Tag from another account
I have an AWS Pipeline in my DEV account, I created a second Pipeline In my PROD account. I followed this articles :
to make the PROD Pipeline use the Repository of the DEV account.
how can I Build the source from a specific git tag, not from a branch name?
when I put the tag number on the Pipeline source stage it fails.
I tried to edit the source stage in the pipeline and select 'full clone' option but I had this error :
remote repository is empty for primary source and source version 63sdsde73f2e1f6sdsd7564f742csdsds91ssd1f7sdsa
as I used a remote repository in another account (DEV).
I tried also to do this in my Buildspec :
... git-credential-helper: yes .... build: commands: - echo Build started on `date` - git config --global user.name $REPO_NAME - git config --global user.email "$REPO_NAME@xxxx.xxx" - git clone code_conit_remote_repo_dev_account_url/$REPO_NAME --branch=$TAG_VERSION - cd $REPO_NAME
git clone https://codecommit.region.amazonaws.com/xx/xx/xx/$REPO_NAME --branch=$TAG_VERSION
but I had this error :
fatal: unable to access 'https://codecommit.region.amazonaws.com/xx/xx/xx/myRepoName/': The requested URL returned error: 403
Command did not exit successfully git clone https://codecommit.region.amazonaws.com/xx/xx/xx/$REPO_NAME --branch=$TAG_VERSION exit status 128
Thanks for your help.
Normally (without the full clone option), CodePipeline itself pulls the repo for you, discards the git metadata, and then passes it along to the next step via an S3 bucket.
When you use the full clone option, the CodeBuild stage will perform a pull for you so that it can keep the git metadata. Unfortunately, this does not currently work in a cross-account scenario because CodeBuild itself does not have any way to assume a cross-account role, and there is also no mechanism in CodeCommit to allow access from a role in another account.
This is why when you switch to a full clone, you are seeing 403 forbidden responses, as CodeBuild is trying to use the CodeBuild service role to connect with CodeCommit.
You may be able to work around this as follows:
- Turn off the full repo clone
- Set up an SSH key for your CodeCommit repo
- Store the private key in AWS Secrets Manager in your CodePipeline account
- During your build phase, fetch the private key from Secrets Manager using the AWS CLI, place it in
~/.ssh/with permissions set to 600
- Again during the build phase, configure
~/.ssh/configbased on the key id and file name
Finally, issue the appropriate
git clonecommand to pull the repo, and use
git checkoutto switch to the specific commit you want. Be sure to use
ssh://on your repo URL instead of
I have included some of the relevant AWS documentation links below. I'm not aware of a step-by-step guide for this method of manually configuring a cross-account full-clone, however the pieces should all be there. I hope this helps!
- https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-without-cli.html : Setup for SSH users not using the AWS CLI
- https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-connect.html : Connect to an AWS CodeCommit repository
Cross account ecs fargate blue/green deploy from code pipelineasked 6 months ago
How do I retrieve my secrets from secret manager in a pipeline build?asked 17 days ago
I don't see the instances and I don't see anything AWSAccount1 created in my AWS account.asked 2 months ago
How to separate the stages in the pipeline?asked 3 years ago
Build and Deploy source from git Tag from another accountAccepted Answer
Seeding of a Elasticache cluster in another account in another regionasked 16 days ago
Cdk deploy in pipeline example?asked 3 months ago
Copy data from EFS to EFS in another AWS account.asked 2 years ago
share code commit repositories between aws accounts
moving a SES identity from one account to another accountasked 3 days ago