Amazon CodeCommit is no longer available to new customers. Existing customers of
Amazon CodeCommit can continue to use the service as normal.
Learn more"
Connecting to Amazon CodeCommit repositories with rotating credentials
You can give users access to your Amazon CodeCommit repositories without configuring IAM users for them or using an access key and secret key. To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Create a role for a third-party identity provider (federation) in the IAM User Guide. You can also configure role-based access for IAM users to access CodeCommit repositories in separate Amazon Web Services accounts (a technique known as cross-account access). For a walkthrough of configuring cross-account access to a repository, see Configure cross-account access to an Amazon CodeCommit repository using roles.
You can configure access for users who want or must authenticate through methods such as:
-
Security Assertion Markup Language (SAML)
-
Multi-factor authentication (MFA)
-
Federation
-
Login with Amazon
-
Amazon Cognito
-
Facebook
-
Google
-
OpenID Connect (OIDC)-compatible identity provider
Note
The following information applies only to the use of git-remote-codecommit or the Amazon CLI credential helper to connect to CodeCommit repositories. Because the recommended approach for temporary or federated access to CodeCommit is to set up git-remote-codecommit, this topic provides examples using that utility. For more information, see Setup steps for HTTPS connections to Amazon CodeCommit with git-remote-codecommit.
You cannot use SSH or Git credentials and HTTPS to connect to CodeCommit repositories with rotating or temporary access credentials.
You do not need to complete these steps if all of the following requirements are true:
-
You are signed in to an Amazon EC2 instance.
-
You are using Git and HTTPS with the Amazon CLI credential helper to connect from the Amazon EC2 instance to CodeCommit repositories.
-
The Amazon EC2 instance has an attached IAM instance profile that contains the access permissions described in For HTTPS connections on Linux, OS X, or Unix with the Amazon CLI credential helper or For HTTPS connections on Windows with the Amazon CLI credential helper.
-
You have installed and configured the Git credential helper on the Amazon EC2 instance, as described in For HTTPS connections on Linux, OS X, or Unix with the Amazon CLI credential helper or For HTTPS connections on Windows with the Amazon CLI credential helper.
Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to CodeCommit on your behalf.
Note
You can configure and use git-remote-codecommit on Amazon EC2 instances.
To give users temporary access to your CodeCommit repositories, complete the following steps.
Step 1: Complete the prerequisites
Complete the setup steps to provide a user with access to your CodeCommit repositories using rotating credentials:
-
For cross-account access, see Walkthrough: Delegating Access Across Amazon Web Services accounts Using IAM Roles and Configure cross-account access to an Amazon CodeCommit repository using roles.
-
For SAML and federation, see Using Your Organization's Authentication System to Grant Access to Amazon Resources and About Amazon STS SAML 2.0-based Federation.
-
For MFA, see Using Multi-Factor Authentication (MFA) Devices with Amazon and Creating Temporary Security Credentials to Enable Access for IAM Users.
-
For Login with Amazon, Amazon Cognito, Facebook, Google, or any OIDC-compatible identity provider, see About Amazon STS Web Identity Federation.
Use the information in Authentication and access control for Amazon CodeCommit to specify the CodeCommit permissions you want to grant the user.
Step 2: Get role name or access credentials
If you want your users to access repositories by assuming a role, provide your users with the Amazon Resource Name (ARN) of that role. Otherwise, depending on the way you set up access, your user can get rotating credentials in one of the following ways:
-
For cross-account access, call the Amazon CLI assume-role command or call the Amazon STS AssumeRole API.
-
For SAML, call the Amazon CLI assume-role-with-saml command or the Amazon STS AssumeRoleWithSAML API.
-
For federation, call the Amazon CLI assume-role or get-federation-token commands or the Amazon STS AssumeRole or GetFederationToken APIs.
-
For MFA, call the Amazon CLI get-session-token command or the Amazon STS GetSessionToken API.
-
For Login with Amazon, Amazon Cognito, Facebook, Google, or any OIDC-compatible identity provider, call the Amazon CLI assume-role-with-web-identity command or the Amazon STS AssumeRoleWithWebIdentity API.
Step 3: Install git-remote-codecommit and configure the Amazon CLI
You must configure your local computer to use the access credentials by
installing git-remote-codecommit
-
Follow the instructions in Setting up to set up the Amazon CLI. Use the aws configure command to configure one or more profiles. Consider creating a named profile to use when you connect to CodeCommit repositories using rotating credentials.
-
You can associate the credentials with the user's Amazon CLI named profile in one of the following ways.
-
If you are assuming a role to access CodeCommit, configure a named profile with the information required to assume that role. For example, if you want to assume a role named
CodeCommitAccess
in the Amazon Web Services account 111111111111, you can configure a default profile to use when working with other Amazon resources and a named profile to use when assuming that role. The following commands create a named profile namedCodeAccess
that assumes a role namedCodeCommitAccess
. The user nameMaria_Garcia
is associated with the session and the default profile is set as the source of its Amazon credentials:aws configure set role_arn arn:aws:iam::111111111111:role/
CodeCommitAccess
--profileCodeAccess
aws configure set source_profile default --profileCodeAccess
aws configure set role_session_name "Maria_Garcia
" --profileCodeAccess
If you want to verify the changes, manually view or edit the
~/.aws/config
file (for Linux) or the%UserProfile%.aws\config
file (for Windows) and review the information under the named profile. For example, your file might look similar to the following:[default] region = us-east-1 output = json [profile CodeAccess] source_profile = default role_session_name = Maria_Garcia role_arn = arn:aws:iam::111111111111:role/
CodeCommitAccess
After you have configured your named profile, you can then clone CodeCommit repositories with the git-remote-codecommit utility using the named profile. For example, to clone a repository named
MyDemoRepo
:git clone codecommit://
CodeAccess
@MyDemoRepo
-
If you are using web identity federation and OpenID Connect (OIDC), configure a named profile that makes the Amazon Security Token Service (Amazon STS)
AssumeRoleWithWebIdentity
API call on your behalf to refresh temporary credentials. Use the aws configure set command or manually edit the~/.aws/credentials
file (for Linux) or the%UserProfile%.aws\credentials
file (for Windows) to add an Amazon CLI named profile with the required setting values. For example, to create a profile that assumes theCodeCommitAccess
role and uses a web identity token file ~/my-credentials
/my-token-file
:[
CodeCommitWebIdentity
] role_arn = arn:aws:iam::111111111111:role/CodeCommitAccess
web_identity_token_file=~/
role_session_name = Maria_Garciamy-credentials
/my-token-file
For more information, see Configuring the Amazon Command Line Interface and Using an IAM Role in the Amazon CLI in the Amazon Command Line Interface User Guide.
-
Step 4: Access the CodeCommit repositories
Assuming your user has followed the instructions in Connect to a repository to connect to the CodeCommit repositories, the user then uses the extended functionality provided by git-remote-codecommit and Git to call git clone, git push, and git pull to clone, push to, and pull from, the CodeCommit repositories to which he or she has access. For example, to clone a repository:
git clone codecommit://
CodeAccess
@MyDemoRepo
Git commit, push, and pull commands use regular Git syntax.
When the user uses the Amazon CLI and specifies the Amazon CLI named profile associated with the rotating access credentials, results scoped to that profile are returned.