Flux bootstrap for AWS CodeCommit

To install Flux on an EKS cluster using a CodeCommit repository as the source of truth, you can use the flux bootstrap git command.

Bootstrap over SSH

Create a CodeCommit repository and generate a PEM-encoded RSA SSH private key with a passphrase:

ssh-keygen -t rsa -b 4096 -m PEM -f ./codecommit_rsa

Upload the SSH public key to the IAM user that Flux will use to access CodeCommit:

aws iam upload-ssh-public-key \
  --user-name codecommit-user \
  --ssh-public-key-body file://codecommit_rsa.pub

The output will contain a field called SSHPublicKeyId:

{
    "SSHPublicKey": {
        "SSHPublicKeyId": "<SSH-Key-ID>",
        "Fingerprint": "<fingerprint>",
        "SSHPublicKeyBody": "<public-key>",
        "Status": "Active",
        "UploadDate": "<timestamp>"
    }
}

Run bootstrap using the SSHPublicKeyId as the SSH username:

flux bootstrap git \
  --url=ssh://<SSHPublicKeyId>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \
  --branch=<my-branch> \
  --private-key-file=./codecommit_rsa \
  --password=<key-passphrase> \
  --path=clusters/my-cluster

Do not use the IAM user name as the SSH username in the repository URL. CodeCommit expects the SSH key ID assigned to the uploaded public key.

You can also pipe the passphrase e.g. echo key-passphrase | flux bootstrap git.

The SSH private key and the known hosts keys are stored in the cluster as a Kubernetes secret named flux-system inside the flux-system namespace.

For the full CodeCommit SSH setup, including where to find the SSH Key ID, see the AWS CodeCommit SSH documentation for Linux, macOS, or Unix and Windows.