Cannot Pass Tokens in Headers With AWS CodeCommit
From one problem to the next…struggling to get this working in Lambda
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
One of my stories on Git Security and AWS CodeCommit Security.
I don’t know if I was just doing something wrong but I could not get a simple git clone working in Lambda for AWS CodeCommit as documented here:
So I thought, oh fine. I’ll just use git credentials and pass an authorization header. I already did that in this post where I showed how to get your credentials out of a URL when using GitHub.
But what I forgot was that I was using GitHub — not AWS CodeCommit for that example.
What I also forgot is that I was using a personal access token. GitHub no longer allows account passwords for these types of operations.
I can’t create a personal access token on AWS.
I can only create a user name and password.
I tried passing a password in the header instead, with the username in the URL just to see if it would work. No.
I’m getting a 403 error.
As noted already this was not my first choice an I don’t like it but I could not get the AWS CodeCommit authentication via a role working in the Lambda function.
So then I resorted to the username and password in the URL which I really, really don’t like.
This error message demonstrates exactly why I don’t like this method:
Cloning into bare repository ‘dev.rainierrhododendrons.com’… fatal: unable to access ‘@git-codecommit.us-east-2.amazonaws.com/v1/repos/dev.rainierrhododendrons.com/’”>https://[USERNAME]:[PASSWORD]@git-codecommit.us-east-2.amazonaws.com/v1/repos/dev.rainierrhododendrons.com/': URL rejected: Port number was not a decimal number between 0 and 65535.
Note that the error above will gladly print out the username and password, not to mention it doesn’t work. Gross.
I was using the methods described in this post that work with git.
Let’s see what other options we have.
The documentation is sending me here —
Hardcoded credentials. Great.
I try running this command:
git config --global user.name $ghuserFatal. Not in a git directory. Well I can’t be in a git directory until I clone the repo and I can’t clone the repo without credentials, and I’m trying to clone bare so I don’t get the git files when I clone. Big, circular, catch-22.
Anyway, this is all just wrong…and I finally found the documentation for how to configure my solution without using hardcoded credentials which I never wanted to do in the first place.
TG I found a different solution by way of a blog post that led me to the AWS instructions listed under a somewhat obscure and overly wordy name that I didn’t initially recognize as being what I was looking for…phew. Found it.
Thank you to this blogger for giving me a clue. However, I don’t think this is exactly the correct approach.
I am working on a solution that I will write about shortly for proper use of the above method without changing the home directory. See my next post.
Bottom line: Don’t use user names and passwords and these solutions didn’t work anyway!
I’ll add a link to the solution here after I publish it.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
