Connect with us

Industry News

Federated multi-account access for AWS CodeCommit : idk.dev

As a developer working in a large enterprise or for a group that supports multiple products, you may often find yourself accessing Git repositories from different organizations. Currently, to securely access multiple Git repositories in other popular tools, you need SSH keys, GPG keys, a Git credential helper, and a significant amount of setup by…

As a developer working in a large enterprise or for a group that supports multiple products, you may often find yourself accessing Git repositories from different organizations. Currently, to securely access multiple Git repositories in other popular tools, you need SSH keys, GPG keys, a Git credential helper, and a significant amount of setup by the developer hoping to commit to the repository. In addition, administrators must be aware of the various ways to remove all the permissions granted to the developer.

AWS CodeCommit is a managed source control service. Combined with AWS Single Sign-On (AWS SSO) and git-remote-codecommit, you can quickly and easily switch between repositories owned by different groups or even managed in separate AWS accounts. You can control those permissions with AWS Identity and Access Management (IAM) roles to allow for the automated removal of the user’s permission as part of their off-boarding procedure for the company.

This post demonstrates how to grant access to various CodeCommit repositories without access keys.

Solution overview

In this solution, the user’s access is controlled with federated login via AWS SSO. You can grant that access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys. In addition, this allows the administrator to control access by adding or removing the user’s IAM role access.

The following diagram shows the code access pattern you can achieve by using AWS SSO and git-remote-codecommit to access CodeCommit across multiple accounts.

Prerequisites

To complete this tutorial, you must have the following prerequisites:

  • CodeCommit repositories in two separate accounts. For instructions, see Create an AWS CodeCommit repository.
  • AWS SSO set up to handle access federation. For instructions, see Enable AWS SSO.
  • Python 3.6 or higher installed on the developer’s local machine. To download and install the latest version of Python, see the Python website.
    • On a Mac, it can be difficult to ensure that you’re using Python 3.6, because 2.7 is installed and required by the OS. For more information about checking your version of Python, see the following GitHub repo.
  • Git installed on your local machine. To download Git, see Git Downloads.
  • PIP version 9.0.3 or higher installed on your local machine. For instructions, see Installation on the PIP website.

Configuring AWS SSO role permissions

As your first step, you should make sure each AWS SSO role has the correct permissions to access the CodeCommit repositories.

  1. On the AWS SSO console, choose AWS Accounts.
  2. On the Permissions Sets tab, choose Create permission set.
  3. On the Create a new permission set page, select Create a custom permission set.
  4. For Name, enter CodeCommitDeveloperAccess.
  5. For Description, enter This permission set gives the user access to work with CodeCommit for common developer tasks.
  6. For Session duration, choose 12 hours.

Create new permissions

Create new permissions

  1. For Relay state, leave blank.
  2. For What policies do you want to include in your permissions set?, select Create a custom permissions policy.
  3. Use the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
             "Sid": "CodeCommitDeveloperAccess",
             "Effect": "Allow",
             "Action": [
                 "codecommit:GitPull",
                 "codecommit:GitPush",
                 "codecommit:ListRepositories"
             ],
             "Resource": "*"
         }
      ]
}

The preceding code grants access to all the repositories in the account. You could limit to a specific list of repositories, if needed.

  1. Choose Create.

Creating your AWS SSO group

Next, we need to create the SSO Group we want to assign the permissions.

  1. On the AWS SSO console, choose Groups.
  2. Choose create group.
  3. For Group name, enter CodeCommitAccessGroup.
  4. For Description, enter Users assigned to this group will have access to work with CodeCommit.

Create Group

Create Group

  1. Choose Create.

Assigning your group and permission sets to your accounts

Now that we have our group and permission sets created, we need to assign them to the accounts with the CodeCommit repositories.

  1. On the AWS SSO console, choose AWS Accounts.
  2. Choose the account you want to use in your new group.
  3. On the account Details page, choose Assign Users.
  4. On the Select users or groups page, choose Group.
  5. Select CodeCommitGroup.
  6. Choose NEXT: Permission Sets.
  7. Choose the CodeCommitDeveloperAccess permission set and choose Finish

Assign Users

Assign Users

  1. Choose Proceed to Accounts to return to the AWS SSO console.
  2. Repeat these steps for each account that has a CodeCommit repository.

Assigning a user to the group

To wrap up our AWS SSO configuration, we need to assign the user to the group.

  1. On the AWS SSO console, choose Groups.
  2. Choose CodeCommitAccessGroup.
  3. Choose Add user.
  4. Select all the users you want to add to this group.
  5. Choose Add user(s).
  6. From the navigation pane, choose Settings.
  7. Record the user portal URL to use later.

Enabling AWS SSO login

The second main feature we want to enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.

  1. Run the following command from the AWS CLI. You need to enter the user portal URL from the previous step and tell the CLI what Region has your AWS SSO deployment. The following code example has AWS SSO deployed in us-east-1:
aws configure sso 
SSO start URL [None]: https://my-sso-portal.awsapps.com/start 
SSO region [None]:us-east-1

You’re redirected to your default browser.

  1. Sign in to AWS SSO.

When you return to the CLI, you must choose your account. See the following code:

There are 2 AWS accounts available to you.
> DeveloperResearch, [email protected] (123456789123)
DeveloperTrading, [email protected] (123456789444)
  1. Choose the account with your CodeCommit repository.

Next, you see the permissions sets available to you in the account you just picked. See the following code:

Using the account ID 123456789123
There are 2 roles available to you.
> ReadOnly
CodeCommitDeveloperAccess
  1. Choose the CodeCommitDeveloperAccess permissions.

You now see the options for the profile you’re creating for these AWS SSO permissions:

CLI default client Region [None]: us-west-2<ENTER>
CLI default output format [None]: json<ENTER>
CLI profile name [123456789011_ReadOnly]: DevResearch-profile<ENTER>
  1. Repeat these steps for each AWS account you want to access.

For example, I create DevResearch-profile for my DeveloperResearch account and DevTrading-profile for the DeveloperTrading account.

Installing git-remote-codecommit

Finally, we want to install the recently released git-remote-codecommit and start working with our Git repositories.

  1. Install git-remote-codecommit with the following code:
pip install git-remote-codecommit

With some operating systems, you might need to run the following code instead:

sudo pip install git-remote-codecommit
  1. Clone the code from one of your repositories. For this use case, my CodeCommit repository is named MyDemoRepo. See the following code:
git clone codecommit://[email protected] my-demo-repo
  1. After that solution is cloned locally, you can copy code from another federated profile by simply changing to that profile and referencing the repository in that account named MyDemoRepo2. See the following code:
git clone codecommit://[email protected] my-demo-repo2

Cleaning up

At the end of this tutorial, complete the following steps to undo the changes you made to your local system and AWS:

  1. On the AWS SSO console, remove the user from the group you created, so any future access requests fail.
  2. To remove the AWS SSO login profiles, open the local config file with your preferred tool and remove the profile.
    1. The config file is located at %UserProfile%/.aws/config for Windows and $HOME/.aws/config for Linux or Mac.
  3. To remove git-remote-codecommit, run the PIP uninstall command:
pip uninstall git-remote-codecommit

With some operating systems, you might need to run the following code instead:

sudo pip uninstall git-remote-codecommit

Conclusion

This post reviewed an approach to securely switch between repositories and work without concerns about one Git repository’s security credentials interfering with the other Git repository. User access is controlled by the permissions assigned to the profile via federated roles from AWS SSO. This allows for access control to CodeCommit without needing access keys.

About the Author

Steven DavidSteven David

Steven David

Steven David is an Enterprise Solutions Architect at Amazon Web Services. He helps customers build secure and scalable solutions. He has background in application development and containers.

Continue Reading
Advertisement

Daily Financial News

Don’t Count On JPY Correction; Staying Long GBP/JPY

The path of the potential pace of the JPY decline may still be underestimated by markets, which continue trading the JPY long.

While the 10% USDJPY advance from September lows looks impressive from a momentum point of view, it may no thave been driven by Japan’s institutional investors reducing their hedging ratios or Japan’s household sector reestablishing carry trades.

Instead, investors seemed to have been caught on the wrong foot, concerned about a sudden decline of risk appetite or the incoming US administration being focused on trade issues and not on spending. Spending requires funding and indeed the President-elect Trump’s team appears to be focused on funding. Here are a few examples: Reducing corporate taxation may pave the way for US corporates repatriating some of their USD2.6trn accumulated foreign profits. Cutting bank regulation could increase the risk-absorbing capacity within bank balance sheets. Hence, funding conditions – including for the sovereign – might generally ease. De-regulating the oil sector would help the trade balance, slowing the anticipated increase in the US current account deficit. The US current account deficit presently runs at 2.6% of GDP, which is below worrisome levels. Should the incoming government push for early trade restrictions, reaction (including Asian sovereigns reducing their holdings) could increase US funding costs, which runs against the interest of the Trump team.

Instead of counting on risk aversion to stop the JPY depreciation, we expect nominal yield differentials and the Fed moderately hiking rates to unleash capital outflows from Japan.The yield differential argumenthas become more compelling with the BoJ turning into yield curve managers. Via this policy move, rising inflation rates push JPY real rates and yields lower, which will weaken the JPY. Exhibit 12 shows how much Japan’s labor market conditions have tightened. A minor surge in corporate profitability may now be sufficient, pushing Japan wages up and implicity real yields lower.

JPY dynamics are diametrical to last year . Last year, the JGB’s “exhausted”yield curve left the BoJ without a tool to push real yields low enough to adequately address the weakened nominal GDP outlook. JPY remained artificially high at a time when the US opted for sharply lower real yields. USDJPY had to decline, triggering JPY bullish secondround effects via JPY-based financial institutions increasing their FX hedge ratios and Japan’s retail sector cutting its carry trade exposures. Now the opposite seems to be happening. The managed JGB curve suggests rising inflation expectations are driving Japan’s real yield lower. The Fed reluctantly hiking rates may keep risk appetite supported but increase USD hedging costs.Financial institutions reducinghedge ratios and Japan’s household sector piling back into the carry trade could provide secondround JPY weakening effects

Continue Reading

Daily Financial News

Mexico raises interest rates, cites Trump as risk

The head of Mexico’s central bank says U.S. Republican candidate Donald Trump represents a “hurricane” sized threat to Mexico.

Banco de Mexico Gov. Agustin Carstens told the Radio Formula network Friday that a Trump presidency “would be a hurricane and a particularly intense one if he fulfills what he has been saying in his campaign.”

Trump has proposed building a wall along the border and re-negotiating the North American Free Trade Agreement.

Mexico’s central bank raised its prime lending rate by half a percent to 4.75 percent Thursday, citing “nervousness surrounding the possible consequences of the U.S. elections, whose implications for Mexico could be particularly significant.”

Mexico’s peso had lost about 6 percent in value against the dollar since mid-August. It recovered slightly after the rate hike

Continue Reading

Financial News

Africa’s first Fairtrade certified gold co-operative offers hope to gold miners living in poverty

Syanyonja Artisan Miners’ Alliance (SAMA) has become the first artisanal small scale mining co-operative in Africa to become Fairtrade certified, bringing much needed hope to impoverished communities who risk their lives to mine the rich gold seam that runs around Lake Victoria.

SAMA is one of nine previously informal groups from Uganda, Kenya and Tanzania which has benefitted from a pilot project launched by Fairtrade in 2013. This innovative program aims to extend the benefits of Fairtrade gold to artisanal miners across East Africa.

In that short time, SAMA has undergone training in business and entrepreneurship, as well as safe use of mercury, internal control systems, labour rights and better working conditions, health and safety and more. Previously, daily contact with toxic chemicals used to process gold meant members risked disease, premature births and even death.  Fairtrade gold was first launched in 2011, and SAMA now joins Fairtrade certified gold mines MACDESA, AURELSA and SOTRAMI in Peru.

The co-operative produces just 5 kg gold per year, but nevertheless has the potential to significantly benefit many people in the local community through better conditions through certification. It is expected that Fairtrade and organizations like Cred Jewellery will support the miners, ensuring their gold can be refined and made available to jewellers in the UK and other markets.

Gonzaga Mungai, Gold Manager at Fairtrade Africa said: “This is a truly momentous and historical achievement and the realisation of a dream that is many years in the making. Gold production is an important source of income for people in rural economies. Congratulations to SAMA, it sets a precedent which shows that if groups like this can achieve certification, then it can work for others right across the African continent.”

The Fairtrade Gold Standard encourages better practice and changes to come in line with international regulation around the production and trade of so-called ‘conflict minerals’. Under the Standard, miners are required to:

  • Uphold a human rights policy preventing war crimes, bribery, money laundering and child labour
  • Clearly represent where the minerals were mined
  • Minimise the risks of conflict minerals through robust risk assessments and collaboration across supply chains
  • Report to buyers and trading partners regarding the risks of conflict minerals

Now in its second phase, the programme will focus on supporting other mining groups in the region to access affordable loans and explore a phased approach to accessing the Fairtrade market, allowing more mining co-operatives across Africa to participate in the programme.

Gonzaga added: “Sourcing African metals from smallscale miners in the Great Lakes Region is the responsible thing to do. For a long time companies have avoided buying gold from this region, with devastating consequences for impoverished communities who were already struggling. It has driven trade deeper underground, as unscrupulous buyers pay lower prices and launder illegal gold into legitimate supply chains. That’s why we have chosen to work with these groups to help them earn more from their gold within a robust compliance system that offers social, environmental, and economic protections.”

The Fairtrade gold programme offers a small but scalable solution to sustainable sourcing of gold from the region in line with Section 1502 of the Dodd-Frank Act in the US, OECD Due Diligence Guidance and recent EU Supply-Chain Due Diligence proposals which could come into effect in 2016. This means that up to 880,000 EU firms that use tin, tungsten, tantalum and gold in manufacturing consumer products could be obliged to provide information on steps they have taken to identify and address risks in their supply chains for so-called ‘conflict minerals’.

Continue Reading

Trending