AWS CodeBuild and CodeCommit repo as npm dependency

5
votes

We have 2 reports

  1. Repo 1
  2. Repo 2

Inside Repo 1 > package.json there is a dependency

"dependencies": {
    "repo-2": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/"
}

Then, inside CodeBuild for "repo-1", we have the following buildspec

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 10
    commands:
      - mkdir -p ./deploy
  build:
    commands:
      - echo "Server copy START $(date)"
      - cp -r ./index.js ./deploy/index.js
      - cp -r ./package.json ./deploy/package.json
      - cp -r ./buildspec.yml ./deploy/buildspec.yml
      - echo "Server copy END $(date)"
      - echo "Server npm install START $(date)"
      - cd ./deploy && npm install --production
      - echo "Server npm install END $(date)"
  post_build:
    commands:
artifacts:
  files:
        - '**/*'
  base-directory: 'deploy'

The error CodeBuild throws is the following

npm ERR! fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/': The requested URL returned error: 403

Basically, the question is: Can I use CodeCommit repo as npm dependency and what is the proper way to do it?

Try #1

I tried to add this (and similar variations) but no success https://medium.com/@ngchiwang/aws-npm-install-private-codecommit-module-8512c3203c37

#Try 2

I also tried to change the dependency URL to this

"repo-2": "git://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2"

But gettings the following error

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fatal: unable to connect to git-codecommit.us-east-1.amazonaws.com: 
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: git-codecommit.us-east-1.amazonaws.com[0: 52.94.233.146]: errno=Connection refused
3
amazon-web-servicesaws-codebuildaws-codecommit
403 is “Forbidden”. Your CodeBuild role needs permission to access the repo.hephalump
CodeBuild assigned role has access to the repo.Andrej Kaurin
My fault @AndrejKaurin, its actually an NPM error; have you configured your NPM credentials inside the CodeBuild environment? You need to login to NPM so you can access the private package.hephalump
But the private package is on CodeCommit.Andrej Kaurin
I am using "dependencies", but posted "devDependencies" by mistake. Tried your suggestion but no success. I updated the question with the error.Andrej Kaurin

3 Answers

7
votes

I ran into this same issue today and got it working by enabling git-credential-helper in the env section of the buildspec file.

Example:

version: 0.2
env:
  git-credential-helper: yes
phases:
  install:
    runtime-versions:
      nodejs: 10
    commands:
      - npm install
  build:
    commands:
      - npm run build

This combined with CodeCommit privileges in the policy (that you said you already have) results in working builds with private npm packages from CodeCommit.

1
votes

I had a similar issue last week so will share the solution recommended for Amazon Team.

The better approach for this would be to set "git-credential-helper" to yes [1] in the env section of your buildspec file and then can use https to access the repository. Please refer the below BuildSpec example for the same.

================Buildspec Snippet=================

version: 0.2

env:
    git-credential-helper: yes

phases:
    pre_build:
        commands:
        - /usr/bin/git ls-remote -h -t https://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-2/

================Buildspec Snippet=================

Also, please make sure you have provided the required permissions to access CodeCommit repository in the CodeBuild IAM Role. I am providing sample IAM policies below for the same which you can refer to provide permissions depending on your use-case:

===========IAM Policy example=============

   {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "codecommit:GetRepository",
                    "codecommit:GitPull",
                    "codecommit:GetFolder"
                ],
                "Resource": "arn:aws:codecommit:us-east-1:<put repo Name or *>"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "codecommit:ListRepositories",
                "Resource": "*"
            }
        ]
    }

===========IAM Policy example=============

Please check if the above approach helps in achieving your use-case.

Kindly note that the above buildspec snippet is just an example to explain how you can access the CodeCommit repo, and it needs to be modified as per your requirement. For example, you can describe your repository dependency in package.json like below which I assume you are already doing and run npm install through your buildspec file in codebuild.

"dependencies": {
    "my-npm": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/<repo name>"
},
0
votes

Try using your private AWS CodeCommit repo as your npm module using following commands:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
git config --global url."ssh://".insteadOf https://
npm install --save git+https://<your_repo_url>#master

If you want to use npm dependency instead, check out the answers on a similar question here: npm install private github repositories by dependency in package.json