- 最新
- 最多得票
- 最多評論
Normally (without the full clone option), CodePipeline itself pulls the repo for you, discards the git metadata, and then passes it along to the next step via an S3 bucket.
When you use the full clone option, the CodeBuild stage will perform a pull for you so that it can keep the git metadata. Unfortunately, this does not currently work in a cross-account scenario because CodeBuild itself does not have any way to assume a cross-account role, and there is also no mechanism in CodeCommit to allow access from a role in another account.
This is why when you switch to a full clone, you are seeing 403 forbidden responses, as CodeBuild is trying to use the CodeBuild service role to connect with CodeCommit.
You may be able to work around this as follows:
- Turn off the full repo clone
- Set up an SSH key for your CodeCommit repo
- Store the private key in AWS Secrets Manager in your CodePipeline account
- During your build phase, fetch the private key from Secrets Manager using the AWS CLI, place it in
~/.ssh/
with permissions set to 600 - Again during the build phase, configure
~/.ssh/config
based on the key id and file name - Finally, issue the appropriate
git clone
command to pull the repo, and usegit checkout
to switch to the specific commit you want. Be sure to usessh://
on your repo URL instead ofhttps://
I have included some of the relevant AWS documentation links below. I'm not aware of a step-by-step guide for this method of manually configuring a cross-account full-clone, however the pieces should all be there. I hope this helps!
- https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-without-cli.html : Setup for SSH users not using the AWS CLI
- https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-connect.html : Connect to an AWS CodeCommit repository
- https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html
相關內容
- 已提問 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前