By using AWS re:Post, you agree to the Terms of Use
/Build and Deploy source from git Tag from another account/

Build and Deploy source from git Tag from another account


Hi Team,

I have an AWS Pipeline in my DEV account, I created a second Pipeline In my PROD account. I followed this articles :

1 -


to make the PROD Pipeline use the Repository of the DEV account.

how can I Build the source from a specific git tag, not from a branch name?

when I put the tag number on the Pipeline source stage it fails.

I tried to edit the source stage in the pipeline and select 'full clone' option but I had this error :

remote repository is empty for primary source and source version 63sdsde73f2e1f6sdsd7564f742csdsds91ssd1f7sdsa

as I used a remote repository in another account (DEV).

I tried also to do this in my Buildspec :

 git-credential-helper: yes

      - echo Build started on `date`
      - git config --global $REPO_NAME
      - git config --global "$"
      - git clone code_conit_remote_repo_dev_account_url/$REPO_NAME --branch=$TAG_VERSION
      - cd $REPO_NAME

git clone$REPO_NAME --branch=$TAG_VERSION

but I had this error :

fatal: unable to access '': The requested URL returned error: 403

Command did not exit successfully git clone$REPO_NAME --branch=$TAG_VERSION exit status 128

Thanks for your help.

1 Answers
Accepted Answer

Normally (without the full clone option), CodePipeline itself pulls the repo for you, discards the git metadata, and then passes it along to the next step via an S3 bucket.

When you use the full clone option, the CodeBuild stage will perform a pull for you so that it can keep the git metadata. Unfortunately, this does not currently work in a cross-account scenario because CodeBuild itself does not have any way to assume a cross-account role, and there is also no mechanism in CodeCommit to allow access from a role in another account.

This is why when you switch to a full clone, you are seeing 403 forbidden responses, as CodeBuild is trying to use the CodeBuild service role to connect with CodeCommit.

You may be able to work around this as follows:

  • Turn off the full repo clone
  • Set up an SSH key for your CodeCommit repo
  • Store the private key in AWS Secrets Manager in your CodePipeline account
  • During your build phase, fetch the private key from Secrets Manager using the AWS CLI, place it in ~/.ssh/ with permissions set to 600
  • Again during the build phase, configure ~/.ssh/config based on the key id and file name
  • Finally, issue the appropriate git clone command to pull the repo, and use git checkout to switch to the specific commit you want. Be sure to use ssh:// on your repo URL instead of https://

I have included some of the relevant AWS documentation links below. I'm not aware of a step-by-step guide for this method of manually configuring a cross-account full-clone, however the pieces should all be there. I hope this helps!

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions