1 min read

Federated CodeCommit Access

CodeCommit access via federated credentials is the way to go. You're not using long-lived Access Keys are you? Bad engineer! Stop that! For better or worse, federated IAM access requires you to use the HTTPS endpoint with a git credential helper.

Adding the following to your ~/.gitconfig file (obviously set the region value as appropriate) is enough to get your up and running with CodeCommit:

[credential "https://git-codecommit.ap-southeast-2.amazonaws.com"]
        helper = "!aws codecommit credential-helper $@"
        UseHttpPath = true

This helper means you can now use your IAM credentials (like those granted to you via a tool like saml2aws) to interact with your repo.

Mac Keychain

Unfortunately the default configuration on a Mac is doesn't work very well, because the Keychain tool is a bit over-eager to save your credentials. When your session expires, Keychain doesn't recognise the fact and keeps trying to re-use the old credentials. This results in the following error message:

fatal: unable to access 'https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/my-repository/': The requested URL returned error: 403

While the AWS documentation tries to help when you with this, their solution only stops Keychain from doing its thing automatically. This doesn't work for very long because the effective username changes with each STS token issued (which lasts for a maximum of 36 hours) so you end up with multiple entries in Keychain, none of which behave the way you want them to.

Make it Stop

The fix is to prevent Keychain from getting involved at all. The following output will show you that Keychain is being used by git at a system level:

git config --system credential.helper

To unset the value, use the following command:

git config --system --unset credential.helper

This means that now Keychain will not try and cache your credentials, and git will simply use the credential helper you've configured to talk to CodeCommit. Profit!