Connect with us

Industry News

Federated multi-account access for AWS CodeCommit : idk.dev

As a developer working in a large enterprise or for a group that supports multiple products, you may often find yourself accessing Git repositories from different organizations. Currently, to securely access multiple Git repositories in other popular tools, you need SSH keys, GPG keys, a Git credential helper, and a significant amount of setup by…

As a developer working in a large enterprise or for a group that supports multiple products, you may often find yourself accessing Git repositories from different organizations. Currently, to securely access multiple Git repositories in other popular tools, you need SSH keys, GPG keys, a Git credential helper, and a significant amount of setup by the developer hoping to commit to the repository. In addition, administrators must be aware of the various ways to remove all the permissions granted to the developer.

AWS CodeCommit is a managed source control service. Combined with AWS Single Sign-On (AWS SSO) and git-remote-codecommit, you can quickly and easily switch between repositories owned by different groups or even managed in separate AWS accounts. You can control those permissions with AWS Identity and Access Management (IAM) roles to allow for the automated removal of the user’s permission as part of their off-boarding procedure for the company.

This post demonstrates how to grant access to various CodeCommit repositories without access keys.

Solution overview

In this solution, the user’s access is controlled with federated login via AWS SSO. You can grant that access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys. In addition, this allows the administrator to control access by adding or removing the user’s IAM role access.

The following diagram shows the code access pattern you can achieve by using AWS SSO and git-remote-codecommit to access CodeCommit across multiple accounts.

Prerequisites

To complete this tutorial, you must have the following prerequisites:

  • CodeCommit repositories in two separate accounts. For instructions, see Create an AWS CodeCommit repository.
  • AWS SSO set up to handle access federation. For instructions, see Enable AWS SSO.
  • Python 3.6 or higher installed on the developer’s local machine. To download and install the latest version of Python, see the Python website.
    • On a Mac, it can be difficult to ensure that you’re using Python 3.6, because 2.7 is installed and required by the OS. For more information about checking your version of Python, see the following GitHub repo.
  • Git installed on your local machine. To download Git, see Git Downloads.
  • PIP version 9.0.3 or higher installed on your local machine. For instructions, see Installation on the PIP website.

Configuring AWS SSO role permissions

As your first step, you should make sure each AWS SSO role has the correct permissions to access the CodeCommit repositories.

  1. On the AWS SSO console, choose AWS Accounts.
  2. On the Permissions Sets tab, choose Create permission set.
  3. On the Create a new permission set page, select Create a custom permission set.
  4. For Name, enter CodeCommitDeveloperAccess.
  5. For Description, enter This permission set gives the user access to work with CodeCommit for common developer tasks.
  6. For Session duration, choose 12 hours.

Create new permissions

Create new permissions

  1. For Relay state, leave blank.
  2. For What policies do you want to include in your permissions set?, select Create a custom permissions policy.
  3. Use the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
             "Sid": "CodeCommitDeveloperAccess",
             "Effect": "Allow",
             "Action": [
                 "codecommit:GitPull",
                 "codecommit:GitPush",
                 "codecommit:ListRepositories"
             ],
             "Resource": "*"
         }
      ]
}

The preceding code grants access to all the repositories in the account. You could limit to a specific list of repositories, if needed.

  1. Choose Create.

Creating your AWS SSO group

Next, we need to create the SSO Group we want to assign the permissions.

  1. On the AWS SSO console, choose Groups.
  2. Choose create group.
  3. For Group name, enter CodeCommitAccessGroup.
  4. For Description, enter Users assigned to this group will have access to work with CodeCommit.

Create Group

Create Group

  1. Choose Create.

Assigning your group and permission sets to your accounts

Now that we have our group and permission sets created, we need to assign them to the accounts with the CodeCommit repositories.

  1. On the AWS SSO console, choose AWS Accounts.
  2. Choose the account you want to use in your new group.
  3. On the account Details page, choose Assign Users.
  4. On the Select users or groups page, choose Group.
  5. Select CodeCommitGroup.
  6. Choose NEXT: Permission Sets.
  7. Choose the CodeCommitDeveloperAccess permission set and choose Finish

Assign Users

Assign Users

  1. Choose Proceed to Accounts to return to the AWS SSO console.
  2. Repeat these steps for each account that has a CodeCommit repository.

Assigning a user to the group

To wrap up our AWS SSO configuration, we need to assign the user to the group.

  1. On the AWS SSO console, choose Groups.
  2. Choose CodeCommitAccessGroup.
  3. Choose Add user.
  4. Select all the users you want to add to this group.
  5. Choose Add user(s).
  6. From the navigation pane, choose Settings.
  7. Record the user portal URL to use later.

Enabling AWS SSO login

The second main feature we want to enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.

  1. Run the following command from the AWS CLI. You need to enter the user portal URL from the previous step and tell the CLI what Region has your AWS SSO deployment. The following code example has AWS SSO deployed in us-east-1:
aws configure sso 
SSO start URL [None]: https://my-sso-portal.awsapps.com/start 
SSO region [None]:us-east-1

You’re redirected to your default browser.

  1. Sign in to AWS SSO.

When you return to the CLI, you must choose your account. See the following code:

There are 2 AWS accounts available to you.
> DeveloperResearch, [email protected]xample.com (123456789123)
DeveloperTrading, [email protected] (123456789444)
  1. Choose the account with your CodeCommit repository.

Next, you see the permissions sets available to you in the account you just picked. See the following code:

Using the account ID 123456789123
There are 2 roles available to you.
> ReadOnly
CodeCommitDeveloperAccess
  1. Choose the CodeCommitDeveloperAccess permissions.

You now see the options for the profile you’re creating for these AWS SSO permissions:

CLI default client Region [None]: us-west-2<ENTER>
CLI default output format [None]: json<ENTER>
CLI profile name [123456789011_ReadOnly]: DevResearch-profile<ENTER>
  1. Repeat these steps for each AWS account you want to access.

For example, I create DevResearch-profile for my DeveloperResearch account and DevTrading-profile for the DeveloperTrading account.

Installing git-remote-codecommit

Finally, we want to install the recently released git-remote-codecommit and start working with our Git repositories.

  1. Install git-remote-codecommit with the following code:
pip install git-remote-codecommit

With some operating systems, you might need to run the following code instead:

sudo pip install git-remote-codecommit
  1. Clone the code from one of your repositories. For this use case, my CodeCommit repository is named MyDemoRepo. See the following code:
git clone codecommit://[email protected] my-demo-repo
  1. After that solution is cloned locally, you can copy code from another federated profile by simply changing to that profile and referencing the repository in that account named MyDemoRepo2. See the following code:
git clone codecommit://[email protected] my-demo-repo2

Cleaning up

At the end of this tutorial, complete the following steps to undo the changes you made to your local system and AWS:

  1. On the AWS SSO console, remove the user from the group you created, so any future access requests fail.
  2. To remove the AWS SSO login profiles, open the local config file with your preferred tool and remove the profile.
    1. The config file is located at %UserProfile%/.aws/config for Windows and $HOME/.aws/config for Linux or Mac.
  3. To remove git-remote-codecommit, run the PIP uninstall command:
pip uninstall git-remote-codecommit

With some operating systems, you might need to run the following code instead:

sudo pip uninstall git-remote-codecommit

Conclusion

This post reviewed an approach to securely switch between repositories and work without concerns about one Git repository’s security credentials interfering with the other Git repository. User access is controlled by the permissions assigned to the profile via federated roles from AWS SSO. This allows for access control to CodeCommit without needing access keys.

About the Author

Steven DavidSteven David

Steven David

Steven David is an Enterprise Solutions Architect at Amazon Web Services. He helps customers build secure and scalable solutions. He has background in application development and containers.

Continue Reading
Advertisement

Industry News

School4Trading Review – How to Spot Possible Forex Broker Fraud

School4trading Review

School4Trading Review – How to Spot Possible Forex Broker Fraud

In this School4trading Review, we will look at the features of the software, as well as the customer support. First, let us look at the interface. The design is simple and easy to navigate. It also provides a chatbot, which helps you to communicate with the broker. The customer service is warm and inviting, which is a hallmark of a good broker. In contrast, a fraudulent broker will use cold and impersonal customer support to lure people in.

Another problem with the system is that the login process is not always intuitive. You may have to retype your password several times to get in. Then, you may experience difficulties withdrawing your funds or accessing your account. In such cases, you might have to wait for days or even weeks before you can withdraw the money you’ve invested. This is not a good sign. It’s better to choose a different trading platform altogether.

If you’re having trouble logging in, you should also check the legitimacy of the broker. Whether the broker is licensed by a reliable regulatory body or closed down, you’ll want to be sure it’s legitimate. If the broker isn’t licensed by the right body, don’t trust him. You shouldn’t waste your time with an inexperienced company. This will only cause you problems in the long run.

The next factor that should be checked is the licensing. A legitimate broker will have a license from a high regulatory body. However, a broker without a license will be unreliable. Moreover, a reliable regulator will take away the license of a scam broker. As a result, a trustworthy School4Broker/Profittrade review should mention fees, account rules, and contract terms. A scam broker will be unable to operate legally.

Secondly, look for warning signs. The broker should be licensed and regulated by a reliable regulatory body. It should be regulated by a high level. If it doesn’t, it’s a scam. Lastly, it should have a website that lets you easily access your account. Moreover, you should not hesitate to check the contact information. If you find any information that seems suspicious, you should reconsider using the broker.

In summary, Forex trading isn’t easy, but it doesn’t have to be complicated. It’s not as difficult as it seems if you’ve heard about the program. You’ll learn everything about the basics and how to become a professional. But if you’re still unsure about whether this program is right for you, don’t hesitate to contact a school4trading’s website.

The most important thing to remember when it comes to Forex trading is that it’s not easy. While it’s important to have a strong background in trading, there are a number of factors that can affect your success. Having a proper plan is vital in the long run, because you will be trading with real money. And, the platform should be reliable. Otherwise, you’ll end up losing a lot of money.

As we’ve mentioned, Forex is not easy. Investing isn’t something you can do in the comfort of your own home. You need a proven system. There are no free trials, so you’ll have to find a way to do it yourself. This isn’t a scam, and it’s a great way to make money without any help. A Forex system can help you learn the intricacies of the market.

Although the process of learning Forex isn’t an easy one, it’s certainly not impossible. Fortunately, there are many people who are willing to take the time to learn how to trade. But, even the most experienced trader needs to be aware of the risks of the market. While Forex trading isn’t easy, it can be done with the right knowledge. The software’s user-friendly interface is key.

Continue Reading

Daily Financial News

Don’t Count On JPY Correction; Staying Long GBP/JPY

The path of the potential pace of the JPY decline may still be underestimated by markets, which continue trading the JPY long.

While the 10% USDJPY advance from September lows looks impressive from a momentum point of view, it may no thave been driven by Japan’s institutional investors reducing their hedging ratios or Japan’s household sector reestablishing carry trades.

Instead, investors seemed to have been caught on the wrong foot, concerned about a sudden decline of risk appetite or the incoming US administration being focused on trade issues and not on spending. Spending requires funding and indeed the President-elect Trump’s team appears to be focused on funding. Here are a few examples: Reducing corporate taxation may pave the way for US corporates repatriating some of their USD2.6trn accumulated foreign profits. Cutting bank regulation could increase the risk-absorbing capacity within bank balance sheets. Hence, funding conditions – including for the sovereign – might generally ease. De-regulating the oil sector would help the trade balance, slowing the anticipated increase in the US current account deficit. The US current account deficit presently runs at 2.6% of GDP, which is below worrisome levels. Should the incoming government push for early trade restrictions, reaction (including Asian sovereigns reducing their holdings) could increase US funding costs, which runs against the interest of the Trump team.

Instead of counting on risk aversion to stop the JPY depreciation, we expect nominal yield differentials and the Fed moderately hiking rates to unleash capital outflows from Japan.The yield differential argumenthas become more compelling with the BoJ turning into yield curve managers. Via this policy move, rising inflation rates push JPY real rates and yields lower, which will weaken the JPY. Exhibit 12 shows how much Japan’s labor market conditions have tightened. A minor surge in corporate profitability may now be sufficient, pushing Japan wages up and implicity real yields lower.

JPY dynamics are diametrical to last year . Last year, the JGB’s “exhausted”yield curve left the BoJ without a tool to push real yields low enough to adequately address the weakened nominal GDP outlook. JPY remained artificially high at a time when the US opted for sharply lower real yields. USDJPY had to decline, triggering JPY bullish secondround effects via JPY-based financial institutions increasing their FX hedge ratios and Japan’s retail sector cutting its carry trade exposures. Now the opposite seems to be happening. The managed JGB curve suggests rising inflation expectations are driving Japan’s real yield lower. The Fed reluctantly hiking rates may keep risk appetite supported but increase USD hedging costs.Financial institutions reducinghedge ratios and Japan’s household sector piling back into the carry trade could provide secondround JPY weakening effects

Continue Reading

Daily Financial News

Mexico raises interest rates, cites Trump as risk

The head of Mexico’s central bank says U.S. Republican candidate Donald Trump represents a “hurricane” sized threat to Mexico.

Banco de Mexico Gov. Agustin Carstens told the Radio Formula network Friday that a Trump presidency “would be a hurricane and a particularly intense one if he fulfills what he has been saying in his campaign.”

Trump has proposed building a wall along the border and re-negotiating the North American Free Trade Agreement.

Mexico’s central bank raised its prime lending rate by half a percent to 4.75 percent Thursday, citing “nervousness surrounding the possible consequences of the U.S. elections, whose implications for Mexico could be particularly significant.”

Mexico’s peso had lost about 6 percent in value against the dollar since mid-August. It recovered slightly after the rate hike

Continue Reading

Trending