Private Git repository access by CI/CD/CDE EC2s in secure subnets is an architectural best practice. However, using an IAM user to authenticate private Git repository access on EC2 is NOT a best practice. Why?
- Permanent key storage on EC2 is not secure.
- Revolving IAM user key pairs breaks git connectivity on EC2. Outcome: broken CI/CD!
IAM roles and instance profiles to the rescue!
Components of our reference implementation:
- A private subnet with external connectivity, i.e., NAT’d subnet. No IGW.
- An IAM role with AWSCodeCommitFullAccess
- AWS CodeCommit repository
- Jenkins Docker image with git-remote-codecommit setup
Launch steps:
- Create an EC2 instance in the private subnet with the instance profile.
- Run a Jenkins container on the EC2.
- Copy the HTTPS (GRC) URL from CodeCommit
- SSH to EC2 & Jenkins container and run the git clone on the HTTPS (GRC) URL to verify connectivity. Done!