Using CodeCommit with the Ubuntu AMI
Sometimes, you might have to fetch your own git repository from an AMI. In order to achieve this, you need a role which allows your EC2 instance to access the git repository. So, in your IAM create a new role with the attached policy AWSCodeCommitReadOnly and a trust relationship for EC2.
You’ll also have to give yourself the permission to pass a role to an EC2 instance.
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn-for-your-repository"
}When you startup an instance using create_instance you can now pass the
Instance Profile ARN to the EC2 instance. Pay attention not to use the
Role ARN.
On the current AMI of Ubuntu (Ubuntu Server 14.04, ami-fce3c696) there’s a higher burden. If you want to use CodeCommit from this AMI without setting up SSH keys (i.e. using HTTPS and the credential helper), you’ll receive this nice little error:
error: gnutls_handshake() failed
According to askubuntu, this is a problem with gnutls and can be solved by replacing it with openssl. So, you’ll have to do this first. We can automatize the steps from the answer into our startup script:
apt-get -y install build-essential fakeroot dpkg-dev
mkdir /root/git-openssl
cd /root/git-openssl
apt-get source git
apt-get -y build-dep git
apt-get -y install libcurl4-openssl-dev
dpkg-source -x git_*.dsc
cd git-*
sed -i s/libcurl4-gnutls-dev/libcurl4-openssl-dev/g debian/control
sed -i "s/TEST =test//g" debian/rules
dpkg-buildpackage -rfakeroot -b
dpkg -i ../git_*_amd64.debAfter this step you have to setup the credential helper for git:
cd $HOME
echo "[credential]" > .gitconfig
echo "helper = !aws codecommit credential-helper $@" >> .gitconfig
echo "UseHttpPath = true" >> .gitconfig
git clone $HTTPS_REPO_URLThe Ubuntu AMI does not include the awscli and the one in the Ubuntu
repository is outdated and does not include codecommit commands. So, you
should install awscli from pip.
apt-get install -y python-pip
pip install awscliNow you are ready to clone your git repository:
git clone $HTTPS_REPO_URL