为Elastic Beanstalk上的github专用回购访问设置SSH密钥 [英] Setting up SSH keys for github private repo access on Elastic Beanstalk
问题描述
我的Node.JS项目包含对github上托管的私有NPM repos的引用。这在本地运行良好,但我正在努力使这个工作在Elastic Beanstalk上。
依赖项:{
...
express:^ 4.12.4,
jsonwebtoken:^ 5.0.5,
my-private-module:git@github.com:< my-user> /< my-repo> .git#< ; my-version>,
...
}
-
我需要的是能够在Elastic Beanstalk实例上为git设置可用的SSH配置,而无需在源代码管理中存储密钥等。很显然,EB实例没有所需的SSH密钥来访问我的私人github回购站。如果我使用用户名:password@github.com 内联的HTTPS风格的git URL,它可以正常工作。它也可以使用 oauth标记方法由github提供(实质上是一个用户:pass)。但我不希望任何凭据被检入到源代码控制中,所以我试图从github克隆我的EB实例上通过SSH工作。
I根据 npm preinstall 脚本-npm-private-modules /rel =noreferrer>这个博客文章,它一直运行到npm2,其中一个更改在构建树之后进行预安装,并且PR解决该问题依然悬而未决。
我尝试了一个 .ebextensions 命令配置,它试图调用 git config 在git@github.com上放置一个而不是到一个HTTPS URL中,其中一个来自环境变量的OAUTH标记(本身很棘手,因为env变量aren这个时候在启动周期中没有设置,并且$ HOME的缺失使得git config感到困惑)。
我也尝试了各种不同的方法,使用 .ebextensions 在我的EB实例上设置SSH,包括该解决方案来自所提及的博客文章的评论。这基本上就是我现在卡住的地方。
- 我成功创建了一个密钥对,在我的github配置文件中设置它,并验证我私有密钥和ssh配置文件放在私人S3存储桶上
- li>我已经创建了一个
.ebextensionsfiles配置,它将这两个文件从S3存储桶复制到/tmp/.ssh/,根据这个例子 - 我创建了一个调试
命令.ebextensions
/tmp/.ssh/ config包含:
主机github.com
IdentityFile /tmp/.ssh/deploy_key
IdentitiesOnly yes
UserKnownHostsFile = / de v / null
StrictHostKeyChecking no
/tmp/.ssh/deploy_key包含我的私钥已验证在本地工作。
然而,git仍会抛出一个错误:
npm ERR!命令失败:git clone --template = / tmp / .npm / _git-remotes / _templates --mirror ssh://git@github.com/ [.....]
npm ERR!克隆到裸仓库'/tmp/.npm/_git-remotes/git-ssh-git-github-com - [...]
npm ERR!主机密钥验证失败。
npm ERR!致命:无法从远程存储库读取。
npm ERR!
npm ERR!请确保您拥有正确的访问权限
npm ERR!并存在该存储库。
我现在已经没有想法了。我最好的猜测是/tmp/.ssh不是git去查找ssh配置文件的路径 - 它可能是在提出链接解决方案时提出的,但可能在后来的AMI中发生变化:使用的环境当EB启动时似乎有点有限;命令以用户 nodejs 运行,但/ tmp似乎用作主目录,即使$ HOME没有设置在任何地方。
如何让git获取我的SSH配置,然后使用我的SSH密钥?我怎样才能找出git在哪里查找SSH配置文件?通常它在〜/ .ssh中,但是由于没有设置$ HOME,所以...这应该很容易,但是这让我很吃惊。
/root/.ssh , not /tmp/.ssh , not /home/ec2-user/.ssh 。 我的最终配置(假设位于S3存储桶中的私人SSH密钥位于< my-bucket> / github-eb-key ,并且相应的公钥是使用配置为 64位的AMI的可访问回购的github用户注册的)Amazon Linux 2016.09 v3.3.0运行Node.js ,并在 .ebextensions / 01_ssh_setup.config 中使用以下内容:
资源:
AW SEBAutoScalingGroup:
元数据:
? AWS :: CloudFormation :: Authentication
:
S3Auth:
存储桶:
- < my-bucket>
角色名称:
? Fn :: GetOptionSetting
:
DefaultValue:aws-elasticbeanstalk -ec2-role
命名空间:aws:asg:launchconfiguration
选项名称:IamInstanceProfile
类型: s3
文件:
/root/.ssh/github-eb-key:
认证:S3Auth
模式:000600
所有者:root
group:root
source:https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key
/root/.ssh/config :
模式:000600
所有者:root
组:root
内容:
Host github.com
IdentityFile /root/.ssh/github-eb-key
IdentitiesOnly yes
UserKnownHostsFile = / dev / null
StrictHostKeyChecking no
My Node.JS project contains references to private NPM repos hosted on github. This works fine locally, but I'm struggling to get this working on Elastic Beanstalk.
dependencies: {
...
"express": "^4.12.4",
"jsonwebtoken": "^5.0.5",
"my-private-module": "git@github.com:<my-user>/<my-repo>.git#<my-version>",
...
}
-
What I need is to be able to set up a working SSH configuration for git on my Elastic Beanstalk instances, without having to store secret keys etc in source control.
Obviously, the EB instances do not have the needed SSH keys to access my private github repos. If I use HTTPS style git URL's with username:password@github.com inlined, it works fine. It also works using the oauth token method offered by github (which is essentially a user:pass). But I do not want any credentials to be checked in to source control, so I'm trying to get cloning from github to work via SSH on my EB instances.
I've tried a million ways, including npm preinstall scripts according to this blog post, which used to work until npm2 where a change made preinstall to run after the tree is built, and the PR to fix that issue is still pending.
I've tried an .ebextensions commands configuration that tries to call git config to place an insteadof on git@github.com into a HTTPS URL with an OAUTH token coming from an environment variable (tricky in itself since env variables aren't set at this time in the startup cycle, and the lack of $HOME makes git config confused).
I've also tried various different ways using .ebextensions to setup SSH on my EB instances, including this solution from the comments on the mentioned blog post. This is basically where I'm stuck now.
- I have successfully created a key pair, set it up on my github profile, and verified that the private key is usable from my local client to clone my repo
- I have put my private key and a ssh config file on a private S3 bucket
- I've created an
.ebextensionsfilesconfiguration which copies these two files from my S3 bucket into/tmp/.ssh/, according to this example - I've created a debug
commands.ebextensionsconfiguration which lists /tmp/.ssh and shows that the files were downloaded from S3 successfully:
/tmp/.ssh/config contains:
Host github.com
IdentityFile /tmp/.ssh/deploy_key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
/tmp/.ssh/deploy_key contains my private key which is verified to work locally.
However, git still throws an error:
npm ERR! Command failed: git clone --template=/tmp/.npm/_git-remotes/_templates --mirror ssh://git@github.com/[.....]
npm ERR! Cloning into bare repository '/tmp/.npm/_git-remotes/git-ssh-git-github-com-[...]
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
I am now running out of ideas. My best guess would be that /tmp/.ssh is not the path where git goes to look for the ssh config file - it might have been when the linked solution was proposed but might have changed in later AMI:s etc. The environment used when EB is starting up seems to be a bit limited; commands are run as user nodejs but /tmp seems to be used as the home directory, even though $HOME is not set anywhere.
How can I get git to pick up my SSH config, and consequently use my SSH key? How can I find out where git looks for a SSH config file? Normally it's in ~/.ssh, but since $HOME is not set, well... This should be easy but is driving me nuts.
After a full day's struggle and finally stumbling over this answer to a very similar question I had previously missed, it turns out the correct place to put ssh keys in order to be picked up by git on EB is in /root/.ssh, not /tmp/.ssh, not /home/ec2-user/.ssh.
My final configuration (assuming there's a private SSH key located in a S3 bucket at <my-bucket>/github-eb-key, and the corresponding public key is registered with a github user having access to the repo(s)), using an AMI configured as 64bit Amazon Linux 2016.09 v3.3.0 running Node.js, and with the following in .ebextensions/01_ssh_setup.config:
Resources:
AWSEBAutoScalingGroup:
Metadata:
? "AWS::CloudFormation::Authentication"
:
S3Auth:
buckets:
- <my-bucket>
roleName:
? "Fn::GetOptionSetting"
:
DefaultValue: aws-elasticbeanstalk-ec2-role
Namespace: "aws:asg:launchconfiguration"
OptionName: IamInstanceProfile
type: s3
files:
/root/.ssh/github-eb-key:
authentication: S3Auth
mode: "000600"
owner: root
group: root
source: "https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key"
/root/.ssh/config:
mode: "000600"
owner: root
group: root
content: |
Host github.com
IdentityFile /root/.ssh/github-eb-key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
这篇关于为Elastic Beanstalk上的github专用回购访问设置SSH密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
