Configure Cross-Account Access for CodeCommit Repositories

You might want to use a single Codecommit repository for a project and uses them across different AWS account Ex: prod, and non-prod.

Updated Oct. 22, 20 · Tutorial

Likes (2)

Comment

Save

9.5K Views

You might want to use a single Codecommit repository for a project and uses them across different AWS account Ex: prod, and non-prod.

What to Do?

For this tutorial, let's assume we have 2 AWS account one for Production and another for non-production.CodeCommit repository is hosted on a production account.

The developer is going to create a simple cloudformation (CFN) template which will provision a DynamoDB table employee(id, name, job) and create a secret and stores it in AWS Secrets Manager.

The CFN template will be saved in codecommit repo under the default master branch. Using AWS Codepipeline CFN will be deployed across multiple AWS accounts.

Steps to Follow

1) Cloud Admin will create a code-commit repo in the production AWS account.

    YAML
   
xxxxxxxxxx

AWSTemplateFormatVersion: 2010-09-09
Description: Creates code-commit repo for demo
Parameters:
  Project:
    Description: Project Name
    Type: String
Resources:
  CodeCommitRepository:
    Type: AWS::CodeCommit::Repository
    Properties:
        RepositoryName: !Join ['-', [!Ref 'Project',!Ref 'AWS::AccountId']]
        RepositoryDescription: This is a repository for my demo 
        Tags:
          - Key: Project
            Value: !Ref Project
Outputs:
  CodeCommitRepositoryArn:
    Description: repo Arn.
    Value: !GetAtt  CodeCommitRepository.Arn
    Export:
      Name: !Sub ${AWS::StackName}

2) Cloud Admin in the production AWS account, creates a role that can be assumed by developers from a non-prod AWS account. Also creates a policy that grants access to the repository and attaches the policy to the role.

    YAML
   
 

     
    

      

     

      

     

     

    
xxxxxxxxxx

          

         

          

         

            
          
AWSTemplateFormatVersion: 2010-09-09
Description: cross-account codecommit role to assume by developers
Parameters:
  Project:
    Description: Project Name
    Type: String
  CrossAccount:
    Description: Trusted Non-prod AWS account ID.
    Type: String
#Importfrom previous StackValue
  CodecommitRepoArn:
    Description: Code-commit Repo Arn.provide Arn (or) stack export value
    Type: String
Resources:
  CodeCommitAccessRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: Retain
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref 'CrossAccount'
            Action:
              - 'sts:AssumeRole'
      Path: /
#      ManagedPolicyArns:
#        - 'arn:aws:iam::aws:policy/AWSCodeCommitPowerUser'
      Policies:
        - PolicyName: CrossAccountExecPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: CodeCommitAccess
                Effect: Allow
                Action:
                  - codecommit:BatchGet*
                  - codecommit:Create*
                  - codecommit:DeleteBranch
                  - codecommit:Get*
                  - codecommit:List*
                  - codecommit:Describe*
                  - codecommit:Put*
                  - codecommit:Post*
                  - codecommit:Merge*
                  - codecommit:Test*
                  - codecommit:Update*
                  - codecommit:GitPull
                  - codecommit:GitPush
                Resource:
#                  - !Ref 'CodecommitRepoArn'
                  - 'Fn::ImportValue':
                           !Ref 'CodecommitRepoArn'
              - Sid: listAccess
                Effect: Allow
                Action:
                  - codecommit:ListRepositories
                Resource: "*"
      RoleName: !Join ["-", [!Ref 'Project',CodeCommitAccessRole]]
      Tags:
        - Key: Project
          Value: !Ref Project
Outputs:
  CodeCommitAccessRoleName:
    Description: Code Commit Access Role Name
    Value: !Ref CodeCommitAccessRole
  CodeCommitAccessRoleArn:
    Description: CrossAccount Access Role Arn
    Value: !GetAtt  CodeCommitAccessRole.Arn

      

     

3) Cloud Admin in the non-production AWS account, creates a group and attach the policy to assume the production cross-account codecommit Role. New User is created and attached to the group. Access Key and secret for the user is generated and stored in the secret manager.

    YAML
   
 

     
    

      

     

      

     

     

    
xxxxxxxxxx

          

         

          

         

            
          
AWSTemplateFormatVersion: 2010-09-09
Description: This template creates developer group,user attach policy
Parameters:
  Project:
    Description: Project Name
    Type: String
  CrossAccountRole:
    Description: Cross-Account Role created in production account
    Type: String
Resources:
  DevManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AssumeCrossAccountRole
            Effect: Allow
            Action:
              - sts:AssumeRole
            Resource:
              - !Ref 'CrossAccountRole'
      ManagedPolicyName: !Join ["-", [!Ref 'Project','AssumeCrossAccountRole']]
      Description: "Developers Assume CrossAccount Repository Role"
  DevGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Join ["-", [!Ref 'Project','CrossAccountRepositoryAccess']]
      ManagedPolicyArns:
         - !Ref 'DevManagedPolicy'
  DevUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Join ["-", [!Ref 'Project','Dev']]
      Groups:
        - !Ref 'DevGroup'
      Tags:
        - Key: Project
          Value: !Ref Project
  DevAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref 'DevUser'
      Status: Active
  DevAccessSecret:
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Name: !Join ["/", ['',!Ref 'Project','Dev','AccessKey']]
      Description: Dev user AccessKey secret
      SecretString:
        !Sub
          - '{"aws_access_key_id":"${AccessKey}","aws_secret_access_key":"${SecretAccess}"}'
          - AccessKey: !Ref 'DevAccessKey'
            SecretAccess: !GetAtt 'DevAccessKey.SecretAccessKey'
      Tags:
        - Key: Project
          Value: !Ref Project

      

     

4) Now Developer can use the access Key and login and switch the role access the repo.

    Shell
   
xxxxxxxxxx

aws configure
### AWS Access Key ID [****************GE6U]: *******
### AWS Secret Access Key [****************Zm9P]: ********
# aws sts get-caller-identity
aws sts assume-role --role-arn "arn:aws:iam::*:role/*Role" --role-session-name CodeRepo
git clone https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/*****

PS: Next part we will create a pipeline and assume the role.

Repository (version control) AWS

Opinions expressed by DZone contributors are their own.

Related

Trending

Configure Cross-Account Access for CodeCommit Repositories

You might want to use a single Codecommit repository for a project and uses them across different AWS account Ex: prod, and non-prod.

What to Do?

Steps to Follow

Related

Partner Resources