问题
We are transitioning from GitHub to AWS CodeCommit to have a tightly integrated environment.
One need is to access one repository through HTTPS. This repo is accessed ny Spring Cloud Config Server product that uses jgit to read the repo and clone the files for its use.
AWS CodeCommit apparently requires the use of the credential helper when connecting through HTTPS, but I don't the setup to be like that. I want a user and password setup that jgit can use without the need to generate a temp credential using the credential helper. Any way to accomplish this?
Is there any way to configure CodeCommit to access a fixed user and password to access the repository through HTTPS?
回答1:
Update
As of December 22 2016, AWS CodeCommit supports the use of a static user name and password as a simplified way to authenticate to your AWS CodeCommit repositories over HTTPS:
With Git credentials, you can generate a static user name and password in the Identity and Access Management (IAM) console that you can use to access AWS CodeCommit repositories from the command line, Git CLI, or any Git tool that supports HTTPS authentication.
Because these are static credentials, they can be cached using the password management tools included in your local operating system or stored in a credential management utility. This allows you to get started with AWS CodeCommit within minutes. You don’t need to download the AWS CLI or configure your Git client to connect to your AWS CodeCommit repository on HTTPS. You can also use the user name and password to connect to the AWS CodeCommit repository from third-party tools that support user name and password authentication, including popular Git GUI clients (such as TowerUI) and IDEs (such as Eclipse, IntelliJ, and Visual Studio).
[...]
Initial Answer
Is there any way to configure CodeCommit to access a fixed user and password to access the repository through HTTPS?
No, as outlined in Setting Up for AWS CodeCommit, you have to either use HTTPS or SSH, and the former requires a cryptographically signed version of your IAM user credentials or Amazon EC2 instance role whenever Git needs to authenticate with AWS in order to interact with repositories in AWS CodeCommit.
However, as mentioned by Mark L. Smith in his answer to using native git not jgit in Eclipse git, while These credentials expire in ~15 minutes, nothing prevents you from implementing the signing process yourself, and Mark kindly provided a resp. Example showing how to clone an AWS CodeCommit repository over HTTPS using jgit right away, see jgit-codecommit for details.
回答2:
To my knowledge (and I have been spending most of my time fooling around with CodeCommit for two weeks now), no, there's no way to use a username/password combination. One of the key features of CodeCommit is that it integrates with your already existing AWS ecosystem by utilizing IAM users and/or roles to grant access more or less automatically, once set up. What is keeping your from using the credential helper?
This may not be what you want, but have you tried creating an IAM user solely for allowing your server to access CodeCommit? You could then generate an access key and secret key for that user and store them as a profile in the server's credentials file (which is typically ~/.aws/credentials). Then you can set up the server's git config to use the credential helper with that profile, and it will automatically authenticate going forward. The key is to use IAM user credentials, so they are permanent, as opposed to IAM role credentials, which expire.
回答3:
Is there any way to configure CodeCommit to access a fixed user and password to access the repository through HTTPS?
The answer used to be 'no', but AWS CodeCommit now offers HTTPS Git Credentials
These are static username/password credentials that can be cached using your standard credential managers (if you have one), and work with IDEs that support username/password auth. IDE Setup
回答4:
This is now possible.
1) Configure AWS credential helper. Follow this link for Unix like systems. Setting up AWS credential helper.
2) This command displays your AWS credentials if the git credential helper works correctly. If not run the same command with --debug flag to find the issue.
echo -e "protocol=https\npath=/v1/repos/myrepo\nhost=git-codecommit.us-east-1.amazonaws.com" | aws codecommit credential-helper get
3) Include the dependency in your build.
implementation('com.amazonaws:aws-java-sdk-core:1.11.463')
4) Then set the CodeCommit url in application.yml.
spring.cloud.config.server.git.uri=https://git-codecommit.us-west-2.amazonaws.com/v1/repos/moa-config
来源:https://stackoverflow.com/questions/31862615/aws-codecommit-https-access-without-setting-up-credential-helper