无法使用 IAM 角色克隆 AWS CodeCommit
Unable to clone AWS CodeCommit with IAM Role
我的 ec2 实例有以下设置,但没有成功。
有 a same issue on aws forum 但没有答案。
~/.git配置:
[credential]
helper = !aws --region us-east-1 codecommit credential-helper $@
UseHttpPath = true
EC2 实例的 IAM 角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "*"
}
]
}
然后下面的代码有效:
echo -e "protocol=https\npath=/v1/repos/my-repo\nhost=git-codecommit.us-east-1.amazonaws.com" | aws --region us-east-1 codecommit credential-helper get
然而,对于 git,它不会。
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo
Cloning into 'my-repo'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo/': The requested URL returned error: 403
有什么想法吗?
更新
经过一番调查,我发现附加的 IAM 角色无法正常工作 git,但 IAM 用户工作正常。
| Type | list-repositories | credential-helper | git operation |
| IAM User with CodeCommitFullAccess | OK | OK | OK |
| IAM Role with CodeCommitFullAccess | OK | OK | NG |
尝试以下命令:
列表存储库
aws codecommit list-repositories
凭据助手
echo -e "protocol=http\npath=/v1/repos/my-repo\nhost=git-codecommit.us-east-1.amazonaws.com" | aws --region=us-east-1 codecommit credential-helper get
git操作
git clone --config credential.helper='!aws --region=us-east-1 codecommit credential-helper $@' --config credential.UseHttpPath=true https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo
我的 awscli 版本如下:
$ aws --version
aws-cli/1.10.44 Python/2.7.5 Linux/3.10.0-327.10.1.el7.x86_64 botocore/1.4.34
更新2
我的git和curl版本如下:
$ git --version
git version 1.8.3.1
$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
您至少需要使用 curl 7.33 或更高版本。来自 CodeCommit 文档:
AWS CodeCommit requires curl 7.33 and later. However, there is a known issue with HTTPS
and curl update 7.41.0.
我的 ec2 实例有以下设置,但没有成功。
有 a same issue on aws forum 但没有答案。
~/.git配置:
[credential]
helper = !aws --region us-east-1 codecommit credential-helper $@
UseHttpPath = true
EC2 实例的 IAM 角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "*"
}
]
}
然后下面的代码有效:
echo -e "protocol=https\npath=/v1/repos/my-repo\nhost=git-codecommit.us-east-1.amazonaws.com" | aws --region us-east-1 codecommit credential-helper get
然而,对于 git,它不会。
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo
Cloning into 'my-repo'...
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo/': The requested URL returned error: 403
有什么想法吗?
更新
经过一番调查,我发现附加的 IAM 角色无法正常工作 git,但 IAM 用户工作正常。
| Type | list-repositories | credential-helper | git operation |
| IAM User with CodeCommitFullAccess | OK | OK | OK |
| IAM Role with CodeCommitFullAccess | OK | OK | NG |
尝试以下命令:
列表存储库
aws codecommit list-repositories凭据助手
echo -e "protocol=http\npath=/v1/repos/my-repo\nhost=git-codecommit.us-east-1.amazonaws.com" | aws --region=us-east-1 codecommit credential-helper getgit操作
git clone --config credential.helper='!aws --region=us-east-1 codecommit credential-helper $@' --config credential.UseHttpPath=true https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo
我的 awscli 版本如下:
$ aws --version
aws-cli/1.10.44 Python/2.7.5 Linux/3.10.0-327.10.1.el7.x86_64 botocore/1.4.34
更新2
我的git和curl版本如下:
$ git --version
git version 1.8.3.1
$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz
您至少需要使用 curl 7.33 或更高版本。来自 CodeCommit 文档:
AWS CodeCommit requires curl 7.33 and later. However, there is a known issue with HTTPS
and curl update 7.41.0.