To use https endpoint of AWS codecommit, command line git I can provide aws credential helper. But there is no way to provide credential helper for cloud config server. For ssh it works fine.
Comment From: dsyer
I believe you can connect to AWS codecommit with a token that you can generate yourself and use as HTTP basic credentials or something. If anyone has any experience doing that and would like to help out, they would be more than welcome.
Comment From: dlaidlaw
There is an example of generating that token provided here: https://github.com/BigBrassBand/jgit-codecommit/blob/master/src/main/java/com/bigbrassband/aws/codecommit/gitclone/CodeCommitHttpCredentials.java
I did look at the code, and it looks like it should be possible to modify the JGitEnvironment class to support this. Basically in afterPropertiesSet() you can check the git URI to see if it points to AWS CodeCommit and if so, create a instance of org.eclipse.jgit.transport.CredentialsProvider as shown in the link above. Otherwise create an org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider. Then simply use the credentials provider for all the calls.
Comment From: dlaidlaw
I was able to make this work. But I did have to add a dependency on the AWS SDK core library.
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.11.52</version>
This is required to retrieve the user's AWS credentials using the standard Amazon credential paths, which works for both EC2 Instance Roles, and local credentials.
Comment From: dsyer
Is that all you had to do? A PR for the user guide would be awesome. Or just a link to a working app in github, if you have time.
Comment From: dlaidlaw
I also had to add a class to calculate the AWS signature to pass as the password parameter for jgit. The new class extends org.eclipse.jgit.transport.CredentialsProvider. What I do is create an instance of the new class if the URI for the git server is an AWS CodeCommit uri. I then modified the JGitEnvironmentRepository to accept a CredentialsProvider property, and use that instead of always creating a UsernamePasswordCredentialsProvider.
So basically the uri for git causes either an AWSCodeCommitCredentialProvider to be used, if it matches the AWS CodeCommit URI pattern (https://git-codecommit.${AWS_REGION}.amazonaws.com/) or falls back to the UsernamePasswordCredentialsProvider (from jgit) if it does not match. Or no credentials provider if there is no username.
Comment From: dsyer
There's a lot of code there but it seems generic. Can you send it as a PR?
Comment From: dlaidlaw
I can, and will. I was wondering if it was OK in that style. I can clean it up a bit or implement it differently. I just did that is the first thing that came to mind. For example, the concept of credential providers could be further abstracted. At the moment I created a simple factory class that creates the credential provider based on the git uri pattern. That could be fleshed out more and allow customizations or replacement, or turning off completely. Any thoughts on that?
Comment From: gitguidev
@dlaidlaw Can you share with me the code of AWSCodeCommitCredentialProvider to authenticate to JGit using the AWS Credentials?
Comment From: dlaidlaw
@gitguidev It was actually linked just above, and at one time that was merged into the project. It seems to have been removed since, though. See: https://github.com/spring-cloud/spring-cloud-config/blob/9c695648be6a88c232ed7792759fc9adfad82c2d/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/support/AwsCodeCommitCredentialProvider.java