TL;DR

If you see the error message $HOME not set as a result by setting up git as EC2 user data, change the configuration commands to git config --system instead of git config --global

Introduction

While preparing the article for the Instance Metadata Service (IMDS), I wanted to automate the deployment of my demo environment via EC2 user data. I had the source code added to an AWS CodeCommit repository and added my script to the instance:

#!/bin/bash
sudo yum -y install git
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
git config --global user.email "[email protected]"
git config --global user.name "alexanderhose"
git clone https://git-codecommit.us-east-2.amazonaws.com/v1/repos/ssrf
Enjoy this article? Subscribe to receive the latest news about cloud security here 📫

I ensured that my IAM instance role had the correct permissions to read the code from CodeCommit and the trust relationship was added to the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:GitPull",
                "codecommit:GitPush"
            ],
            "Resource": "arn:aws:codecommit:us-east-2:<accountID>:ssrf"
        }
    ]
}

In the system log of the instance, I found several error messages in regards to the script I have supplied in the user data:

[   26.195286] cloud-init[3205]: fatal: $HOME not set
[   26.202130] cloud-init[3205]: fatal: $HOME not set
[   26.215579] cloud-init[3205]: fatal: $HOME not set
[   26.223277] cloud-init[3205]: fatal: $HOME not set
[   26.231651] cloud-init[3205]: Cloning into 'ssrf'...
[   26.256029] cloud-init[3205]: fatal: could not read Username for 'https://git-codecommit.us-east-2.amazonaws.com': No such device or address

Set git system-wide configuration

I did not realize, that scripts that are entered as user data run as root and not as the ec2-user. This is causing issues with the git setup, as the git config --global command is user-specific, meaning it is applied to the user's home directory. In the case of the root user, the $HOME directory is not set. To solve this problem we can use the git config --system command.

The system-level configuration is applied across an entire instance. This covers all users on an operating system. The system-level configuration file is saved in the system root path /etc/gitconfig. The order of priority if you have several configuration files is: local, global, and system. Git will first check the user-level configuration and then check the next higher level.

In the end, I could solve the issue by setting the system-level git configuration and successfully cloning the repository to the local instance:

git config --system credential.helper '!aws codecommit credential-helper $@'
git config --system credential.UseHttpPath true
git config --system user.email "[email protected]"
git config --system user.name "alexanderhose"
git clone https://git-codecommit.us-east-2.amazonaws.com/v1/repos/ssrf

Share this post