Support AWS CodeCommit Access with IAM Role (No stored credentials)

[tskinn]

I would like to have the source-controller use a role (IAM Role as Service Account in EKS) to access my codecommit git repos. AWS has created a git remote helper for codecommit that can use an IAM role to get credentials and use them in http requests to git and I imagine we could do something similar in the source-controller. Also, since most cloud providers have a git service, this feature could possibly be extended to all of them. (I'm not 100% as I'm mostly familiar with just AWS).

I'm happy to take a crack at this, if you all are open to this idea.

[tskinn]

At first glance through the code, I would think we could add code somewhere around here that checks the url for codecommit (example: codecommit://demo-profile@MyRepositoryName)

Like the git remote helper for codecommit:

This package extends git to support repository URLs prefixed with codecommit://

we can look for codecommit in the url and get credentials from aws if that is the case.

Maybe something similar is possible for other cloud providers and their git services?

[pjbgf]

Hey @tskinn, I concur that contextual authentication is quite handy and would be keen to see that implemented at some point to support the different cloud vendors, but I think that may come with some challenges.

In terms of implementing git-remote-codecommit for example, it requires the helper to be installed, and that all the repositories be referenced via codecommit://.

To add a new scheme (codecommit://) we would need to update the validation for the spec.URL in the controller. We would also need to update the libgit2 managed registration to cover that scheme, and I am not sure what it would be needed for the go-git implementation to also support it.

I would prefer we did not rely on an external application (the helper) for each cloud provider, but rather implemented the on-demand token request programmatically and updated the API to reflect the different options of contextual authentication supported.

[stefanprodan]

Please hold any work on this until we get the auto-login feature for OCI in, then we can look at how to extend it to Git for AWS, Azure and GCP.

[tskinn]

@pjbgf Sorry I only meant we could use the git-remote-codecommit as inspiration. I agree with you.

@stefanprodan Ok. Is there an issue tracking that?