Flux bootstrap for AWS CodeCommit
To install Flux on an EKS cluster using a CodeCommit repository as the source of truth,
you can use the
flux bootstrap git command.
Flux can authenticate to CodeCommit over HTTPS with AWS IAM credentials, or over
SSH with an SSH key attached to an IAM user.
Required permissions
To bootstrap Flux, the person running the command must have cluster admin rights for the target Kubernetes cluster. It is also required that the AWS identity used by the Flux CLI has pull and push rights for the CodeCommit repository. The AWS identity used bysource-controller in the cluster must have
pull rights for the CodeCommit repository.Private VPC
If your VPC is configured without internet access, or if you prefer that the access is over a private connection, you need to set up a VPC endpoint to access CodeCommit by following the guide Using AWS CodeCommit with interface VPC endpoints.Bootstrap over HTTPS with IAM role
Flux version
AWS CodeCommit over HTTPS with IAM credentials is supported starting with Flux 2.9.x.To bootstrap over HTTPS with an IAM role, make sure the Flux CLI can discover AWS credentials from the environment, such as an assumed role, AWS SSO session, instance profile, or other credentials supported by the AWS SDK. For more details on IAM roles and AWS authentication methods in Flux, see the AWS authentication documentation.
You can verify the identity used by the Flux CLI with:
aws sts get-caller-identity
- The IAM role used by the CLI must be allowed to
codecommit:GitPullandcodecommit:GitPushpermissions for the CodeCommit repository. - The
source-controllerrunning in the cluster also needs an IAM role withcodecommit:GitPullfor the same repository.
For additional details, see AWS CodeCommit Integration.
The bootstrap command configures the generated GitRepository with
provider: aws to use the controller-level AWS identity.
Run bootstrap with the CodeCommit HTTPS URL:
flux bootstrap git \
--url=https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \
--branch=main \
--path=clusters/my-cluster
When using CodeCommit over HTTPS with IAM credentials, do not specify
--token-auth, --username, or --password. The Flux CLI obtains temporary
Git credentials from AWS IAM for the bootstrap operation.
Bootstrap over SSH
Create a CodeCommit repository and generate a PEM-encoded RSA SSH private key with a passphrase:
ssh-keygen -t rsa -b 4096 -m PEM -f ./codecommit_rsa
Upload the SSH public key to the IAM user that Flux will use to access CodeCommit:
aws iam upload-ssh-public-key \
--user-name codecommit-user \
--ssh-public-key-body file://codecommit_rsa.pub
The output will contain a field called SSHPublicKeyId:
{
"SSHPublicKey": {
"SSHPublicKeyId": "<SSH-Key-ID>",
"Fingerprint": "<fingerprint>",
"SSHPublicKeyBody": "<public-key>",
"Status": "Active",
"UploadDate": "<timestamp>"
}
}
Run bootstrap using the SSHPublicKeyId as the SSH username:
flux bootstrap git \
--url=ssh://<SSHPublicKeyId>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \
--branch=<my-branch> \
--private-key-file=./codecommit_rsa \
--password=<key-passphrase> \
--path=clusters/my-cluster
Do not use the IAM user name as the SSH username in the repository URL. CodeCommit expects the SSH key ID assigned to the uploaded public key.
You can also pipe the passphrase e.g. echo key-passphrase | flux bootstrap git.
The SSH private key and the known hosts keys are stored in the cluster as a Kubernetes
secret named flux-system inside the flux-system namespace.
For the full CodeCommit SSH setup, including where to find the SSH Key ID, see the AWS CodeCommit SSH documentation for Linux, macOS, or Unix and Windows.
SSH Key rotation
To rotate the SSH key, delete theflux-system secret from the cluster and re-run
the bootstrap command using a new PEM-encoded RSA SSH private key.