AWS CodeCommit - Securing The Repository and Branches
Inception: Learn how to Secure AWS CodeCommit Repository branches. You will use IAM policy to restric the direct pushing the code to master branch.
In this article you will how to secure the CodeCommit repository branches. As a best practice repository’s master
branch should be restricted to push code direclty into it.
To push any code into master, a developer must open a Pull Request, this PR must be reviewed by some other engineer and then it must be pushed into the master
branch.
You must know how to create branches (called feature branches as well) in AWS CodeCommit. You must develop a feature in a branch and then merge that feature into the master.
The master branch is the working version of your code, so its a bad practice to push code directly to the master branch. So the best practice is to develop your code into the feature branch, get it tested, open a Pull request, get the code review done after that merge the code into the master branch.
Now lets see how to enforce this best practice, by limiting Pushes and Merges to branches in AWS CodeCommit.
Limit Pushes and Merges in AWS CodeCommit
- Create a IAM Group called
developers
, and add all developers within your team. - Create an
Inline policy
with below statements insidedevelopers
group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay"
],
"Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
- Generic CodeCommit actions like
pull
,clone
, etc are allowed, but GitPush, DeleteBranch, PutFile, etc are not allowed in this policy. - Add Users in
developers
group. - Now, these users will not be able to push, delete, put, etc in
us-east-2
region,111111111111
account, reposiroty nameMyDemoRepo
, andmaster
branch.
Test the policy
To test the effects of the policy to ensure that it acts as expected. Follow below steps:
- Choose an the user you added in
developer
branch. - Make a small change in cloned code locally.
- Add the code
git add .
- Commit the code locally
git commit -m "Testing code policy changes"
. - Now, try to push the code the master branch
git push origin master
. - You must get error like
Access denied: You don't have permission to push changes to this branch
.
➜ spring-boot-demo git:(master) ✗ git add .
➜ spring-boot-demo git:(master) ✗ git commit -m "Changed description"
[master e1bdea1] Changed description
1 file changed, 1 insertion(+), 1 deletion(-)
➜ spring-boot-demo git:(master) git push origin master
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
Access denied: You don't have permission to push changes to this branch.
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
! [remote rejected] master -> master (You don't have permission to push changes to this branch.)
error: failed to push some refs to 'ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo'
➜ spring-boot-demo git:(master)
How to push code to the master branch?
As you have blocked direct code pushing to the master branch, hence developer need to a feature branch now and push their code changes to that branch and open a Pull Request against the master brach.
Following are the steps to push you code into the master branch.
- Create a branch after committing the code locally
➜ spring-boot-demo git:(master) git checkout -b feature-1
- Push the code to feature-1 as code is already added and committed.
➜ spring-boot-demo git:(feature-1) git push origin feature-1
➜ spring-boot-demo git:(master) git checkout -b feature-1
Switched to a new branch 'feature-1'
➜ spring-boot-demo git:(feature-1) git push origin feature-1
Warning: Permanently added the RSA host key for IP address '52.119.161.60' to the list of known hosts.
Enter passphrase for key '/Users/sushiver/.ssh/id_rsa':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 374 bytes | 374.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/spring-boot-demo
* [new branch] feature-1 -> feature-1
➜ spring-boot-demo git:(feature-1)
- Now, goto AWS CodeCommit console and then go to
spring-boot-demo
repository. - Click on the
Create Pull Request
button. - Choose
master
in Destination,feature-1
in the Source, and click on Compare button. - You must see
Mergeable
as green - Now enter Title, and Description, and click on Create Pull Request button in the bottom of the page.
- Share this Pull Request with another developer.
- Other developer (user2) must open this Pull Request, review the code changes, and then merge the code into the master branch.
Conclusion: Now you can protect your CodeCommit Repository master or any other branch you want. You can create a group of users with different policies on CodeCommit repository.