9

I need to clone a private git repo within aws lambda (lambda runtime is python). After doing some research, I know that the I need to clone the repo in /tmp directory because it is the only accessible directory in lambda. In addition, I need to use a private key to ssh to github.

Basically, my code looks like:

import git # lambda-git
import os

private_key = """-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
"""
with open("/tmp/id_rsa", "w") as id_rsa:
  id_rsa.write(private_key)
os.chmod("/tmp/id_rsa", 600)
os.environ["GIT_SSH_COMMAND"] = 'ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no'
git.exec_command("clone", "git@domain:repo_name.git", "/tmp")

However, after uploading the zipped folder into lambda, I got the following error

Could not create directory \\'/home/sbx_user1051/.ssh\\'.
Failed to add the host to the list of known hosts (/home/sbx_user1051/.ssh/known_hosts).
Load key \"/tmp/id_rsa\": Permission denied
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What am I missing? Or is it even possible to clone a private repo within aws lambda? Any help is appreciated.

PS. I know that I can use a git token and clone the repo over https. But I cannot modify the repo url and have to use git@domain:repo_name.git as it is.

Improve this question

2 Answers 2

Reset to default
4

I finally found the answer. Changing permission code from 600 to 0o600 solved this problem!

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Can you share some more details on how you accomplished this? I'm looking at the exact same problem. One thing I did different was store my private key in Amazon Secret Manager instead of inside the function, then called the get_secret() function inside of the lambda_handler function. The permission thing worked (I had to change my permission bit to 0o0600 but other than that it worked perfectly), but now I'm getting that it can't save the known_hosts file in my /home/user directory... which I don't want anyways... basically I'm wondering did you ever get this to work?
It did not work for me.
0

Thanks for posting your solution @coding-monkey

My problem was that I used os.system("export GIT_SSH_COMMAND... instead of os.environ["GIT_SSH_COMMAND"]

Just in case someone needs, here is my solution:

import os

def lambda_handler(event, context):
    os.system('rm -rf /tmp/*')
    os.system("""cat >/tmp/id_rsa <<EOL
-----BEGIN OPENSSH PRIVATE KEY-----
ATTENTION, DO NOT STORE PRIVATE KEYS IN CODE, THIS IS ONLY DEMONSTRATION
-----END OPENSSH PRIVATE KEY-----
EOL""")
    os.chmod('/tmp/id_rsa', 0o600)
    os.system('ssh-keyscan -t rsa github.com | tee /tmp/known_hosts | ssh-keygen -lf -')
    os.environ['GIT_SSH_COMMAND'] = 'ssh -o UserKnownHostsFile=/tmp/known_hosts -i /tmp/id_rsa'
    os.system('git clone [email protected]:<privaterepo>.git /tmp/aws2')
    return {"test": "123"}
Improve this answer

1 Comment

this is not working for me. I am still getting error. Could not create directory '/home/sbx_user1051/.ssh'. Permission denied (publickey).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.