Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources Additional information

Give SageMaker notebook instances temporary access to a CodeCommit repository in another AWS account

Created by Helge Aufderheide (AWS)

Environment: Production

Technologies: DevOps; Analytics; Machine learning & AI; Management & governance

AWS services: AWS CodeCommit; AWS Identity and Access Management; Amazon SageMaker

Summary

This pattern shows how to grant Amazon SageMaker notebook instances and users temporary access to an AWS CodeCommit repository that’s in another AWS account. This pattern also shows how you can grant granular permissions for specific actions each entity can perform on each repository.

Organizations often store CodeCommit repositories in a different AWS account than the account that hosts their development environment. This multi-account setup helps control access to the repositories and reduces the risk of their accidental deletion. To grant these cross-account permissions, it’s a best practice to use AWS Identity and Access Management (IAM) roles. Then, predefined IAM identities in each AWS account can temporarily assume the roles to create a controlled chain of trust across the accounts.

Note: You can apply a similar procedure to grant other IAM identities cross-account access to a CodeCommit repository. For more information, see Configure cross-account access to an AWS CodeCommit repository using roles in the AWS CodeCommit User Guide.

Prerequisites and limitations

Prerequisites

An active AWS account with a CodeCommit repository (account A)
A second active AWS account with a SageMaker notebook instance (account B)
An AWS user with sufficient permissions to create and modify IAM roles in account A
A second AWS user with sufficient permissions to create and modify IAM roles in account B

Architecture

The following diagram shows an example workflow for granting a SageMaker notebook instance and users in one AWS account cross-account access to a CodeCommit repository:

Workflow for cross-account access to CodeCommit

The diagram shows the following workflow:

The AWS user role and SageMaker notebook instance role in account B assume a named profile.
The named profile’s permissions policy specifies a CodeCommit access role in account A that the profile then assumes.
The CodeCommit access role’s trust policy in account A allows the named profile in account B to assume the CodeCommit access role.
The CodeCommit repository’s IAM permissions policy in account A allows the CodeCommit access role to access the CodeCommit repository.

Technology stack

CodeCommit
Git
IAM
pip
SageMaker

Tools

AWS CodeCommit is a version control service that helps you privately store and manage Git repositories, without needing to manage your own source control system.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
Git is a distributed version-control system for tracking changes in source code during software development.
git-remote-codecommit is a utility that helps you push and pull code from CodeCommit repositories by extending Git.
pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes.

Best practices

When you set permissions with IAM policies, make sure that you grant only the permissions required to perform a task. For more information, see Apply least-privilege permissions in the IAM documentation.

When implementing this pattern, make sure that you do the following:

Confirm that IAM principles have only the permissions required to perform specific, needed actions within each repository. For example, it’s recommended to allow approved IAM principles to push and merge changes to specific repository branches, but only request merges to protected branches.
Confirm that IAM principles are assigned different IAM roles based on their respective roles and responsibilities for each project. For example, a developer will have different access permissions than a release manager or AWS Administrator.

Epics

Task Description Skills required

Task	Description	Skills required
Configure the CodeCommit access role and permissions policy.	Note: To automate the manual setup process documented in this epic, you can use an AWS CloudFormation template. In the account that contains the CodeCommit repository (account A), do the following: Create an IAM role that can be assumed by the SageMaker notebook instance role in account B. Create an IAM policy that grants access to the repository and attach the policy to the role. For testing purposes only, choose the AWSCodeCommitPowerUser AWS managed policy. This policy grants all CodeCommit permissions except the ability to delete resources. Modify the role’s trust policy so that account B is listed as a trusted entity. Important: Before moving this setup into your production environment, it’s a best practice to write your own IAM policy that applies least-privilege permissions. For more information, see the Additional information section of this pattern.	General AWS, AWS DevOps
Grant the SageMaker notebook instance's role in account B permissions to assume the CodeCommit access role in account A.	In the account that contains the SageMaker notebook instance’s IAM role (account B), do the following: Create an IAM policy that allows an IAM role or user to assume the CodeCommit access role in account A. Example IAM permissions policy that allows an IAM role or user to assume a cross-account role `{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam:::accountA_ID:role/accountArole_ID" } }` Attach the policy to your SageMaker notebook instance’s role in account B. Have the SageMaker notebook instance’s role in account B assume the CodeCommit access role in account A. Note: To view your repository’s Amazon Resource Name (ARN), see View CodeCommit repository details in the AWS CodeCommit User Guide.	General AWS, AWS DevOps

Configure the CodeCommit access role and permissions policy.

Note: To automate the manual setup process documented in this epic, you can use an AWS CloudFormation template.

In the account that contains the CodeCommit repository (account A), do the following:

Create an IAM role that can be assumed by the SageMaker notebook instance role in account B.
Create an IAM policy that grants access to the repository and attach the policy to the role. For testing purposes only, choose the AWSCodeCommitPowerUser AWS managed policy. This policy grants all CodeCommit permissions except the ability to delete resources.
Modify the role’s trust policy so that account B is listed as a trusted entity.

Important: Before moving this setup into your production environment, it’s a best practice to write your own IAM policy that applies least-privilege permissions. For more information, see the Additional information section of this pattern.

General AWS, AWS DevOps

Grant the SageMaker notebook instance's role in account B permissions to assume the CodeCommit access role in account A.

In the account that contains the SageMaker notebook instance’s IAM role (account B), do the following:

Create an IAM policy that allows an IAM role or user to assume the CodeCommit access role in account A.

Example IAM permissions policy that allows an IAM role or user to assume a cross-account role


{
  "Version": "2012-10-17",
  "Statement": [
      {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam:::accountA_ID:role/accountArole_ID"
  }
}

Attach the policy to your SageMaker notebook instance’s role in account B.
Have the SageMaker notebook instance’s role in account B assume the CodeCommit access role in account A.

Note: To view your repository’s Amazon Resource Name (ARN), see View CodeCommit repository details in the AWS CodeCommit User Guide.

General AWS, AWS DevOps

Task Description Skills required

Task	Description	Skills required
Set up a user profile on the AWS SageMaker notebook instance to assume the role in account A.	Important: Make sure that you have the latest version of the AWS Command Line Interface (AWS CLI) installed. In the account that contains the SageMaker notebook instance (account B), do the following: Sign in to the AWS Management Console and open the SageMaker console. Access your SageMaker notebook instance. The Jupyter interface opens. Choose New, and then choose Terminal. A new terminal window opens in your Jupyter environment. Navigate to the SageMaker notebook instance’s ~/.aws/config file. Then, add a user profile to the file by entering the following statement: `------.aws/config-------------- [profile remoterepouser] role_arn = arn:aws:iam::<ID of Account A>:role/<rolename> role_session_name = remoteaccesssession region = eu-west-1 credential_source = Ec2InstanceMetadata ----------------------------------`	General AWS, AWS DevOps
Install the git-remote-codecommit utility.	Follow the instructions in Step 2: Install git-remote-codecommit in the AWS CodeCommit User Guide.	Data scientist

Set up a user profile on the AWS SageMaker notebook instance to assume the role in account A.

Important: Make sure that you have the latest version of the AWS Command Line Interface (AWS CLI) installed.

In the account that contains the SageMaker notebook instance (account B), do the following:

Sign in to the AWS Management Console and open the SageMaker console.
Access your SageMaker notebook instance. The Jupyter interface opens.
Choose New, and then choose Terminal. A new terminal window opens in your Jupyter environment.
Navigate to the SageMaker notebook instance’s ~/.aws/config file. Then, add a user profile to the file by entering the following statement:


------.aws/config--------------
[profile remoterepouser]
role_arn = arn:aws:iam::<ID of Account A>:role/<rolename>
role_session_name = remoteaccesssession
region = eu-west-1
credential_source  = Ec2InstanceMetadata
----------------------------------

General AWS, AWS DevOps

Install the git-remote-codecommit utility.

Follow the instructions in Step 2: Install git-remote-codecommit in the AWS CodeCommit User Guide.

Data scientist

Task Description Skills required

Task	Description	Skills required
Access the CodeCommit repository by using Git commands or SageMaker.	To use Git IAM principals that assume the SageMaker notebook instance’s role in account B can now run Git commands to access the CodeCommit repository in account A. For example, users can run commands such as `git clone`, `git pull`, and `git push`. For instructions, see Connect to an AWS CodeCommit repository in the AWS CodeCommit User Guide. For information about how to use Git with CodeCommit, see Getting started with AWS CodeCommit in the AWS CodeCommit User Guide. To use SageMaker To use Git from the SageMaker console, you must allow Git to retrieve credentials from your CodeCommit repository. For instructions, see Associate a CodeCommit repository in a different AWS account with a notebook instance in the SageMaker documentation.	Git, bash console

Access the CodeCommit repository by using Git commands or SageMaker.

To use Git

IAM principals that assume the SageMaker notebook instance’s role in account B can now run Git commands to access the CodeCommit repository in account A. For example, users can run commands such as git clone, git pull, and git push.

For instructions, see Connect to an AWS CodeCommit repository in the AWS CodeCommit User Guide.

For information about how to use Git with CodeCommit, see Getting started with AWS CodeCommit in the AWS CodeCommit User Guide.

To use SageMaker

To use Git from the SageMaker console, you must allow Git to retrieve credentials from your CodeCommit repository. For instructions, see Associate a CodeCommit repository in a different AWS account with a notebook instance in the SageMaker documentation.

Git, bash console

Related resources

Configure cross-account access to an AWS CodeCommit repository using roles (AWS CodeCommit documentation)
IAM tutorial: Delegate access across AWS accounts using IAM roles (IAM documentation)

Additional information

Restricting CodeCommit permissions to specific actions

To restrict the actions that an IAM principal can take in the CodeCommit repository, modify the actions that are allowed in the CodeCommit access policy.

For more information about CodeCommit API operations, see CodeCommit permissions reference in the AWS CodeCommit User Guide.

Note: You can also edit the AWSCodeCommitPowerUser AWS managed policy to fit your use case.

Restricting CodeCommit permissions to specific repositories

To create a multitenant environment where more than one code repository is accessible to only specific users, do the following:

Create multiple CodeCommit access roles in account A. Then, configure each access role’s trust policy to allow specific users in account B to assume the role.
Restrict what code repositories that each role can assume by adding a “Resource” condition to each CodeCommit access role’s policy.

Example “Resource” condition that restricts an IAM principal’s access to a specific CodeCommit repository


"Resource" : [<REPOSITORY_ARN>,<REPOSITORY_ARN> ]

Note: To help identify and differentiate multiple code repositories in the same AWS account, you can assign different prefixes to the repositories’ names. For example, you can name code repositories with prefixes that align to different developer groups, such as myproject-subproject1-repo1 and myproject-subproject2-repo1. Then, you can create an IAM role for each developer group based on their assigned prefixes. For example, you could create a role named myproject-subproject1-repoaccess and grant it access to all of the code repositories that include the prefix myproject-subproject1.

Example “Resource” condition that refers to a code repository ARN that includes a specific prefix


"Resource" : arn:aws:codecommit:<region>:<account-id>:myproject-subproject1-*

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Generate an AWS CloudFormation template containing AWS Config managed rules

Implement a GitHub Flow branching strategy