Configure cross-account access to an Amazon CodeCommit repository using roles - Amazon CodeCommit
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Configure cross-account access to an Amazon CodeCommit repository using roles

You can configure access to CodeCommit repositories for IAM users and groups in another Amazon account. This is often referred to as cross-account access. This section provides examples and step-by-step instructions for configuring cross-account access for a repository named MySharedDemoRepo in the US East (Ohio) Region in an Amazon account (referred to as AccountA) to IAM users who belong to an IAM group named DevelopersWithCrossAccountRepositoryAccess in another Amazon account (referred to as AccountB).

This section is divided into three parts:

  • Actions for the Administrator in AccountA.

  • Actions for the Administrator in AccountB.

  • Actions for the repository user in AccountB.

To configure cross-account access:

  • The administrator in AccountA signs in as an IAM user with the permissions required to create and manage repositories in CodeCommit and create roles in IAM. If you are using managed policies, apply IAMFullAccess and AWSCodeCommitFullAccess to this IAM user.

    The example account ID for AccountA is 111122223333.

  • The administrator in AccountB signs in as an IAM user with the permissions required to create and manage IAM users and groups, and to configure policies for users and groups. If you are using managed policies, apply IAMFullAccess to this IAM user.

    The example account ID for AccountB is 888888888888.

  • The repository user in AccountB, to emulate the activities of a developer, signs in as an IAM user who is a member of the IAM group created to allow access to the CodeCommit repository in AccountA. This account must be configured with:

    • Amazon Management Console access.

    • An access key and secret key to use when connecting to Amazon resources and the ARN of the role to assume when accessing repositories in AccountA.

    • The git-remote-codecommit utility on the local computer where the repository is cloned. This utility requires Python and its installer, pip. You can download the utility from git-remote-codecommit on the Python Package Index website.

    For more information, see Setup steps for HTTPS connections to Amazon CodeCommit with git-remote-codecommit and IAM users.