CodeCommit access via federated credentials is the way to go. You're not using long-lived Access Keys are you? Bad engineer! Stop that! For better or worse, federated IAM access requires you to use the HTTPS endpoint with a git
credential helper.
Adding the following to your ~/.gitconfig
file (obviously set the region value as appropriate) is enough to get your up and running with CodeCommit:
[credential "https://git-codecommit.ap-southeast-2.amazonaws.com"]
helper = "!aws codecommit credential-helper $@"
UseHttpPath = true
This helper means you can now use your IAM credentials (like those granted to you via a tool like saml2aws
) to interact with your repo.
Mac Keychain
Unfortunately the default configuration on a Mac is doesn't work very well, because the Keychain tool is a bit over-eager to save your credentials. When your session expires, Keychain doesn't recognise the fact and keeps trying to re-use the old credentials. This results in the following error message:
fatal: unable to access 'https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/my-repository/': The requested URL returned error: 403
While the AWS documentation tries to help when you with this, their solution only stops Keychain from doing its thing automatically. This doesn't work for very long because the effective username changes with each STS token issued (which lasts for a maximum of 36 hours) so you end up with multiple entries in Keychain, none of which behave the way you want them to.
Make it Stop
The fix is to prevent Keychain from getting involved at all. The following output will show you that Keychain is being used by git
at a system level:
git config --system credential.helper
osxkeychain
To unset the value, use the following command:
git config --system --unset credential.helper
This means that now Keychain will not try and cache your credentials, and git
will simply use the credential helper you've configured to talk to CodeCommit. Profit!