Setting up private Github access with AWS Elastic Beanstalk and Ruby container
Here's how I finally did it. It's all about setting up an SSH Key for the user which is responsible for bundle install phase.
- Start an environment for an application in AWS Elastic Beanstalk
- Optional - Login to Amazon EC2 console and change instance type to a desired value
- Update SSH Key pair name to enable remote SSH login. (I'm sure there must be a way to specify instance type and SSH key pair name while starting an environment)
- Look for the newly launched instance either in EC2 console or through CLI, note the Fully Qualified Domain Name (FQDN) for this instance. EB instances are like any other instance you would create with Amazon EC2. Login via SSH to this instance.
- Execute the following commands to create an SSH key for
rootuser$ sudo su - root
$ ssh-keygen -t rsa -C "[email protected]"
Edit
.bash_profileto explicitly startssh-agentand add the newly generated SSH Key. Add the following lines (This might seem unnecessary, I did it just to be sure)eval `ssh-agent
eval
ssh-add ~/.ssh/id_rsaNote the SSH public key E.g.:
~/.ssh/id_rsa.puband add it to the set of SSH Keys for Github account which has access to private repositoriesAt this point, your instance has access to your private Github repositories. You could test this by issuing a
git cloneon those repositories by logging in asrootuser.Create an AMI out of this instance using standard methods
Come back to your AWS Elastic Beanstalk Dashboard and look for
Edit Configurationoption in your application's environment. In theServertab, look for an option which lets you specify aCustom AMI. Update this field with the newly created AMI ID E.g.:ami-4324fd4.Save configuration by hitting
Apply Changes. AWS Elastic Beanstalk would start deploying new instances across your environment and terminating the old ones. This is to ensure all your auto-scaled instances have the whitelisted SSH Key required for private Github access.
After the above steps are done, you could go ahead and deploy your Rails application with git aws.push
Hope this helps others who are stuck. I'd be glad to see a more graceful solution than this one though.
After a good day of effort, I finally enabled use of my organization's private GitHub repos with Elastic Beanstalk by just using a .config file. I am using Python and pip, but it should also work for other package installers on EB.
rhetonik's ssh-agent+ssh-add approach did not work for me at all, so I elected to set up an ssh configuration file instead.
Here is my .ebextensions/3-pip-install-from-github.config file:
files:
"/root/.ssh/config":
owner: root
group: root
mode: "000600"
content: |
Host github.com
User git
Hostname github.com
IdentityFile /root/.ssh/github
commands:
01-command:
command: sudo ssh-keyscan -H github.com >> /root/.ssh/known_hosts
02-command:
command: sudo chmod 644 /root/.ssh/known_hosts
03-command:
command: sudo aws s3 cp s3://bucket-with-your-github-ssh-key/github /root/.ssh
04-command:
command: sudo chmod 600 /root/.ssh/github
Rough instructions:
Set up an S3 bucket accessible by your EB instance. Inside of that bucket, store the SSH key allowing access to the GitHub repository you want to access via
pip,npm,bundle, etc. Usesudo aws s3 cpto copy that key onto your EB instance on deploy.sudois necessary because EB scripts userootand notec2-user.This ebextensions config file also creates 2 files on your EB instance.
/root/.ssh/configtellsssh(invoked bypipandgit) to use the key you copied from S3. Storing the output ofssh-keyscan -H github.cominto/root/.ssh/known_hostswill pre-verify thatsshon your EB instance is actually communicating with GitHub to avoid MITM attacks. This is better than disablingStrictHostKeyCheckingin/root/.ssh/config.
Here is my requirements.txt file for pip:
Beaker==1.7.0
Flask==0.10.1
Jinja2==2.7.3
MarkupSafe==0.23
# [...]
git+ssh://[email protected]/myorganization/[email protected]
While running eb-deploy, you can tail -f /var/log/eb-activity.log to make sure everything runs smoothly.