AWS CodeCommit
User Guide (API Version 2015-04-13)

Temporary Access to AWS CodeCommit Repositories

You can allow users temporary access your AWS CodeCommit repositories. Typically, you do this to allow IAM users to access AWS CodeCommit repositories in separate AWS accounts (a technique known as cross-account access). You can also do this for users who want to (or must) authenticate through methods such as:

  • Security Assertion Markup Language (SAML)

  • Multi-factor authentication (MFA)

  • Federation

  • Login with Amazon

  • Amazon Cognito

  • Facebook

  • Google

  • OpenID Connect (OIDC)-compatible identity provider


The following information applies only to the use of the AWS CLI Credential Helper to connect to AWS CodeCommit repositories. You cannot use either SSH or Git credentials and HTTPS to connect to AWS CodeCommit repositories with temporary access credentials.

You don't need to complete the following instructions if all of the following requirements are true:

Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to AWS CodeCommit on your behalf.

To give users temporarily access to your AWS CodeCommit repositories, complete the following steps.

Step 1: Complete the Prerequisites

Complete the appropriate setup steps to provide a user with temporary access to your AWS CodeCommit repositories:

Regardless of the setup steps you follow, use the information in Authentication and Access Control for AWS CodeCommit to specify the AWS CodeCommit permissions you want to temporarily grant the user.

Step 2: Get Temporary Access Credentials

Depending on the way you set up temporary access, instruct the user to get temporary access credentials through one of the following approaches:

Regardless of the AWS CLI command or API the user calls, the user should receive back a set of temporary access credentials, which include an AWS access key ID, a secret access key, and a session token. The user must note these three values because they will be used in the next step.

Step 3: Configure the AWS CLI with Your Temporary Access Credentials

The user must configure his or her development machine to use those credentials to access the AWS CodeCommit repositories:

  1. Follow the instructions in Setting Up to set up the AWS CLI. Use the aws configure command to configure a profile.


    Before you continue, make sure the git config file is configured to use the AWS profile you configured in the AWS CLI.

  2. Use one of the following approaches to associate the temporary access credentials with the user's AWS CLI named profile. Do not use the aws configure command.

    • In the ~/.aws/credentials file (for Linux) or the\credentials file (for Windows), add to the user's AWS CLI named profile the aws_access_key_id, aws_secret_access_key, and aws_session_token setting values, for example:

      [CodeCommitProfileName] aws_access_key_id=TheAccessKeyID aws_secret_access_key=TheSecretAccessKey aws_session_token=TheSessionToken


    • Set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, for example:

      For Linux, macOS, or Unix:

      export AWS_ACCESS_KEY_ID=TheAccessKey export AWS_SECRET_ACCESS_KEY=TheSecretAccessKey export AWS_SESSION_TOKEN=TheSessionToken

      For Windows:

      set AWS_ACCESS_KEY_ID=TheAccessKey set AWS_SECRET_ACCESS_KEY=TheSecretAccessKey set AWS_SESSION_TOKEN=TheSessionToken

    For more information about either approach, see Configuring the AWS Command Line Interface in the AWS Command Line Interface User Guide.

  3. Set up the Git credential helper for Linux, macOS, or Unix or for Windows with the user's AWS CLI named profile that is associated with the temporary access credentials. As you follow these directions, do not call the aws configure command. You already specified temporary access credentials through the credentials file or the environment variables. Also, if you use environment variables instead of the credentials file to store temporary access credentials, in the Git credential helper, specify default as the profile name.

Step 4: Access the AWS CodeCommit Repositories

Assuming the user has followed the instructions in Connect to a Repository to connect to the AWS CodeCommit repositories, the user then uses Git to call git clone, git push, and git pull to clone, push to, and pull from, the AWS CodeCommit repositories to which he or she has temporary access.

When the user uses AWS CLI and specifies the AWS CLI named profile associated with the temporary access credentials, then results scoped to that AWS CLI named profile will be returned.

If the user receives the 403: Forbidden error in response to calling a Git command or a command in AWS CLI, it's likely the temporary access credentials have expired. The user must go back to Step 2 and get a new set of temporary access credentials.