itsecureadmin.com

Connect to GitHub from AWS CodeBuild

by

Josh
in , , , , ,

In order to build and deliver software in AWS using Github as the source repository, you have to setup a connection to authorize AWS to use Github. The best way is to use a GitHub App connection. AWS has some great documentation on how to do this.

First, you need access to a GitHub account with at least one repository and permission to use it. Do this first. If you want to leverage webhooks for automated builds on commit, be sure to use an organization and not a personal GitHub account. The docs are not awesome at explaining this, and the page I link to suggests webhooks would work in personal accounts, but my experience does not support this.

Connection Setup in AWS

The basic flow is to go to the connections page under Developer Tools here, “Connections, then “Create connection”.

Next, name your connection and select an App, if you have one already, or “Install a new app”, which will create your connection and allow you to select repositories or grant permission to all repositories.

A GitHub App is a piece of software created by a third party (AWS in this case) to install in your GitHub account and manage access to your GitHub account. You can check to see if you have existing apps in your GitHub account at this link.

Once finished with that, select “connect”.

You should now be able to use that connection. CodeBuild projects will use this connection by default, or you can specify the connection to use.

Common Issues Using the Connection (through terraform)

│ Error: creating CodeBuild Webhook ($codebuild_project): operation error CodeBuild: CreateWebhook, https response error StatusCode: 400, RequestID: b7f662d7-e963-4851-b773-491ca24aebce, InvalidInputException: Access denied to connection arn:aws:codestar-connections:us-west-2:$account:connection/$connection

Verify the IAM permissions for the role assumed by the CodeBuild project to use the connection. The IAM policy attached to the role should include these permissions – restrict these permissions to a specific role under the Resources block, if desired:

    {
      "Effect": "Allow",
      "Action": [
        "codestar-connections:GetConnectionToken",
        "codestar-connections:GetConnection",
        "codestar-connections:UseConnection",
        "codeconnections:GetConnectionToken",
        "codeconnections:GetConnection",
        "codeconnections:UseConnection"
      ],
      "Resource": "*"
    }

Note that I have included the legacy codestar-connections in addition to the new codeconnections resources.

I’ve also run into a Github rate limiting error.

│ Error: creating CodeBuild Webhook ($codebuild_project): operation error CodeBuild: CreateWebhook, https response error StatusCode: 400, RequestID: 6fc17db0-880a-4b72-a852-50bb86b3e9d9, OAuthProviderException: Failed to create webhook. GitHub API limit reached. Please try again later.

Or the following, which suggests an API limit or permissions issue:

│ Error: creating CodeBuild Webhook ($codebuild_project): operation error CodeBuild: CreateWebhook, https response error StatusCode: 400, RequestID: 63786312-527b-43ac-8e7d-c83d745695b9, OAuthProviderException: Failed to create webhook. GitHub API limit reached or permission issue encountered when creating the webhook.

You can run a curl command to see what your current unauthenticated rate limits and usage are:

> curl https://api.github.com/rate_limit
{
  "resources": {
    "core": {
      "limit": 60,
      "remaining": 58,
      "reset": 1728664414,
      "used": 2,
      "resource": "core"
    },
    "graphql": {
      "limit": 0,
      "remaining": 0,
      "reset": 1728667138,
      "used": 0,
      "resource": "graphql"
    },
    "integration_manifest": {
      "limit": 5000,
      "remaining": 5000,
      "reset": 1728667138,
      "used": 0,
      "resource": "integration_manifest"
    },
    "search": {
      "limit": 10,
      "remaining": 10,
      "reset": 1728663598,
      "used": 0,
      "resource": "search"
    }
  },
  "rate": {
    "limit": 60,
    "remaining": 58,
    "reset": 1728664414,
    "used": 2,
    "resource": "core"
  }
}

The issue for me was that you cannot create webhooks for personal accounts – you must use an organization. I missed that part in the Github docs. I tested this by transferring the repository to my organization, and the webhook worked. When I transferred it back to my personal account, it failed to execute. Transferring it back to my organization made it work again.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *