Packt+ | Advance your knowledge in tech

You're reading from AWS Automation Cookbook Continuous Integration and Continuous Deployment using AWS services

Product type Paperback

Published in Nov 2017

Publisher Packt

ISBN-13 9781788394925

Length 388 pages

Edition 1st Edition

Tools

AWS

Concepts

Cloud Computing

Author (1):

Nikit Swaraj

View More author details

Table of Contents (19) Chapters

Title Page

Credits

About the Author

Acknowledgments

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

1. Using AWS CodeCommit

2. Building an Application using CodeBuild FREE CHAPTER

3. Deploying Application using CodeDeploy & CodePipeline

4. Building Scalable and Fault-Tolerant CI/CD Pipeline

5. Understanding Microservices and ECS

6. Continuous Deployment to ECS Using Developer Tools and CloudFormation

7. IaC Using CloudFormation and Ansible

8. Automating AWS Resource Control Using AWS Lambda

9. Microservice Applications in Kubernetes Using Jenkins Pipeline 2.0

10. Best Practices and Troubleshooting Tips

Index

Applying security and restrictions

In an enterprise where a product is being developed, we find lots of developers on different teams working with different repositories but in the same Git-based VCS.

Here in CodeCommit, if we give a user CodeCommitPowerUser access, then the user will have full control over all the repositories, except the deletion of repositories. So, a Power User will be able to see the source code of all other repositories, that is, there won't be any privacy. This is the kind of permission you should avoid giving another user.

In some companies, they have different use cases, for example, they only require a few of their developers to have access to all Git-based commands and on the specific repository. We dive into how to implement this type of scenario.

Getting ready

To implement this scenario, we use AWS IAM services, where we will create a user and attach it to a CodeCommit custom policy, and that policy will have access to only a specific repository with specific Git commands.

How to do it...

Let's get started with that, and perform the following operations:

First of all, let's create a custom policy where we will give the restriction definition.
Go to IAM Console and click on the Policies section. Then, click on Create Policy:
Click on Create Your Own Policy:

You will be redirected toanotherpage where you have to fill in the Policy Name, a description of the policy, and a policy document. Thepolicydocument will be the definition, where we will mention the resources and actions:

Insert the following policy definition (x60xxxxxxx39 will be basically your account ID):

    {
     "Version": "2012-10-17",
     "Statement": [
     {
     "Effect": "Allow",
     "Action": [
     "codecommit:GitPull",
     "codecommit:GitPush"
     ],
     "Resource": "arn:aws:codecommit:us-east-1:x60xxxxxxx39:HelloWorld"
     }
     ]
     }

Click on Create Policy; then we will have our own custom policy:
Now, let's remove the AWSCodeCommitPowerUser access from the IAM user that we created to clone the repository by clicking on x:

Click on Add permissions, after that click on Attach Existing Policies Directly and search for Policy name in filter, check that, and save it:

We will have a user with only our custom policy, which means the user will only have access to the HelloWorld repository and only two actions, git push and git clone:

    awsstar@awsstar:~$ aws codecommit list-repositories
    An error occurred (AccessDeniedException) when calling the     ListRepositories operation: User:     arn:aws:iam::16xxxxxx139:user/awsccuser is not authorized to perform:     codecommit:ListRepositories

The preceding command output shows AccessDeniedException, that is, awsccuser is not authorized to perform codecommit:ListRepositories. The reason for this is we have given access to only two operations or actions: git push and git clone.