Connecting to Amazon CodeCommit repositories with rotating credentials - Amazon CodeCommit
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting to Amazon CodeCommit repositories with rotating credentials

You can give users access to your Amazon CodeCommit repositories without configuring IAM users for them or using an access key and secret key. To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Creating a role for a third-party Identity Provider in the IAM User Guide. You can also configure role-based access for IAM users to access CodeCommit repositories in separate Amazon Web Services accounts (a technique known as cross-account access). For a walkthrough of configuring cross-account access to a repository, see Configure cross-account access to an Amazon CodeCommit repository using roles.

You can configure access for users who want or must authenticate through methods such as:

  • Security Assertion Markup Language (SAML)

  • Multi-factor authentication (MFA)

  • Federation

  • Login with Amazon

  • Amazon Cognito

  • Facebook

  • Google

  • OpenID Connect (OIDC)-compatible identity provider


The following information applies only to the use of git-remote-codecommit or the Amazon CLI credential helper to connect to CodeCommit repositories. Because the recommended approach for temporary or federated access to CodeCommit is to set up git-remote-codecommit, this topic provides examples using that utility. For more information, see Setup steps for HTTPS connections to Amazon CodeCommit with git-remote-codecommit.

You cannot use SSH or Git credentials and HTTPS to connect to CodeCommit repositories with rotating or temporary access credentials.

You do not need to complete these steps if all of the following requirements are true:

Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to CodeCommit on your behalf.


You can configure and use git-remote-codecommit on Amazon EC2 instances.

To give users temporary access to your CodeCommit repositories, complete the following steps.

Step 1: Complete the prerequisites

Complete the setup steps to provide a user with access to your CodeCommit repositories using rotating credentials:

Use the information in Authentication and access control for Amazon CodeCommit to specify the CodeCommit permissions you want to grant the user.

Step 2: Get role name or access credentials

If you want your users to access repositories by assuming a role, provide your users with the Amazon Resource Name (ARN) of that role. Otherwise, depending on the way you set up access, your user can get rotating credentials in one of the following ways:

Step 3: Install git-remote-codecommit and configure the Amazon CLI

You must configure your local computer to use the access credentials by installing git-remote-codecommit and configuring a profile in the Amazon CLI.

  1. Follow the instructions in Setting up to set up the Amazon CLI. Use the aws configure command to configure one or more profiles. Consider creating a named profile to use when you connect to CodeCommit repositories using rotating credentials.

  2. You can associate the credentials with the user's Amazon CLI named profile in one of the following ways.

    • If you are assuming a role to access CodeCommit, configure a named profile with the information required to assume that role. For example, if you want to assume a role named CodeCommitAccess in the Amazon Web Services account 111111111111, you can configure a default profile to use when working with other Amazon resources and a named profile to use when assuming that role. The following commands create a named profile named CodeAccess that assumes a role named CodeCommitAccess. The user name Maria_Garcia is associated with the session and the default profile is set as the source of its Amazon credentials:

      aws configure set role_arn arn:aws:iam::111111111111:role/CodeCommitAccess --profile CodeAccess aws configure set source_profile default --profile CodeAccess aws configure set role_session_name "Maria_Garcia" --profile CodeAccess

      If you want to verify the changes, manually view or edit the ~/.aws/config file (for Linux) or the\config file (for Windows) and review the information under the named profile. For example, your file might look similar to the following:

      [default] region = us-east-1 output = json [profile CodeAccess] source_profile = default role_session_name = Maria_Garcia role_arn = arn:aws:iam::111111111111:role/CodeCommitAccess

      After you have configured your named profile, you can then clone CodeCommit repositories with the git-remote-codecommit utility using the named profile. For example, to clone a repository named MyDemoRepo:

      git clone codecommit://CodeAccess@MyDemoRepo
    • If you are using web identity federation and OpenID Connect (OIDC), configure a named profile that makes the Amazon Security Token Service (Amazon STS) AssumeRoleWithWebIdentity API call on your behalf to refresh temporary credentials. Use the aws configure set command or manually edit the ~/.aws/credentials file (for Linux) or the\credentials file (for Windows) to add an Amazon CLI named profile with the required setting values. For example, to create a profile that assumes the CodeCommitAccess role and uses a web identity token file ~/my-credentials/my-token-file:

      [CodeCommitWebIdentity] role_arn = arn:aws:iam::111111111111:role/CodeCommitAccess web_identity_token_file=~/my-credentials/my-token-file role_session_name = Maria_Garcia

    For more information, see Configuring the Amazon Command Line Interface and Using an IAM Role in the Amazon CLI in the Amazon Command Line Interface User Guide.

Step 4: Access the CodeCommit repositories

Assuming your user has followed the instructions in Connect to a repository to connect to the CodeCommit repositories, the user then uses the extended functionality provided by git-remote-codecommit and Git to call git clone, git push, and git pull to clone, push to, and pull from, the CodeCommit repositories to which he or she has access. For example, to clone a repository:

git clone codecommit://CodeAccess@MyDemoRepo

Git commit, push, and pull commands use regular Git syntax.

When the user uses the Amazon CLI and specifies the Amazon CLI named profile associated with the rotating access credentials, results scoped to that profile are returned.