Menu
AWS CodeCommit
User Guide (API Version 2015-04-13)

Troubleshooting AWS CodeCommit

The following information might help you troubleshoot common issues in AWS CodeCommit.

Topics

Access Error: Prompted for AWS User Name When Connecting to an AWS CodeCommit Repository

Problem: When you try to use Git to communicate with an AWS CodeCommit repository, a message appears prompting you for your AWS user name.

Possible fixes: Configure your AWS profile or make sure the profile you are using is the one you configured for working with AWS CodeCommit. For more information about setting up, see Setting Up . For more information about IAM, access keys, and secret keys, see Managing Access Keys for IAM Users and How Do I Get Credentials?.

Access Error: Prompted for User Name and Password When Connecting to an AWS CodeCommit Repository from Windows

Problem: When you try to use Git to communicate with an AWS CodeCommit repository, you see a pop-up dialog box asking for your user name and password.

Possible fixes: This might be the built-in credential management system for Windows. It is not compatible with the credential helper for AWS CodeCommit. Choose Cancel.

This might also be an indication that you installed the Git Credential Manager as part of installing Git for Windows. The Git Credential Manager is not compatible with AWS CodeCommit. Consider uninstalling it.

For more information, see For HTTPS Connections on Windows with the AWS CLI Credential Helper and Git for Windows: I Installed Git for Windows, but I Am Denied Access to My Repository (403).

Access Error: Public Key Denied When Connecting to an AWS CodeCommit Repository

Problem: When you try to use an SSH endpoint to communicate with an AWS CodeCommit repository, an error message appears containing the phrase Error: public key denied.

Possible fixes: Configure a public and private SSH key pair, and then associate the public key with your IAM user. For more information about configuring SSH, see For SSH Connections on Linux, macOS, or Unix and For SSH Connections on Windows.

Access Error: Public Key Is Uploaded Successfully to IAM but Connection Fails on Linux, macOS, or Unix Systems

Problem: When you try to connect to an SSH endpoint to communicate with an AWS CodeCommit repository, either when testing the connection or cloning a repository, the connection fails or is refused.

Possible fixes: The SSH Key ID assigned to your public key in IAM might not be associated with your connection attempt. You might not have configured a config file, you might not have access to the configuration file, another setting might be preventing a successful read of the config file, or you might have provided the ID of the IAM user instead of the key ID.

The SSH Key ID can be found in the IAM console in the profile for your IAM user:


        The SSH Key ID in the IAM console

Try testing the connection with the following command:

Copy
ssh Your-SSH-Key-ID@git-codecommit.us-east-2.amazonaws.com

If you see a success message after confirming the connection, your SSH Key ID is valid. Edit your config file to associate your connection attempts with your public key in IAM. If you do not want to edit your config file for some reason, you can preface all connection attempts to your repository with your SSH Key ID. For example, if you wanted to clone a repository named MyDemoRepo without modifying your config file to associate your connection attempts, you would type the following command:

Copy
git clone ssh://Your-SSH-Key-ID@git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

For more information, see For SSH Connections on Linux, macOS, or Unix.

Access Error: Public Key Is Uploaded Successfully to IAM and SSH Tested Successfully but Connection Fails on Windows Systems

Problem: When you try to use an SSH endpoint to clone or communicate with an AWS CodeCommit repository, an error message appears containing the phrase No supported authentication methods available.

Possible fixes: The most common reason for this error is that you have a Windows system environment variable set that directs Windows to use another program when you attempt to use SSH. For example, you might have set a GIT_SSH variable to point to one of the PuTTY set of tools (plink.exe). This might be a legacy configuration, or it might be necessary for one or more other programs installed on your computer. If you are sure that this environment variable is not needed, you can remove it by opening your system properties and deleting the environment variable.

To work around this issue, open a Bash emulator and then try your SSH connection again, but include GIT_SSH_COMMAND="SSH" as a prefix. For example, to clone a repository using SSH:

Copy
GIT_SSH_COMMAND="ssh" git clone ssh://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

A similar problem might occur if your version of Windows requires that you include the SSH Key ID as part of the connection string when connecting using SSH at the Windows command line. Try your connection again, this time including the SSH Key ID copied from IAM as part of the command. For example:

Copy
git clone ssh://Your-SSH-Key-ID@git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

Access Error: Encryption Key Access Denied for an AWS CodeCommit Repository from the Console or the AWS CLI

Problem: When you try to access AWS CodeCommit from the console or the AWS CLI, an error message appears containing the phrase EncryptionKeyAccessDeniedException or User is not authorized for the KMS default master key for CodeCommit 'aws/codecommit' in your account.

Possible fixes: The most common cause for this error is that your AWS account is not subscribed to AWS Key Management Service, which is required for AWS CodeCommit. Open the IAM console, choose Encryption Keys, and then choose Get Started Now. If you see a message that you are not currently subscribed to the AWS Key Management Service service, follow the instructions on that page to subscribe. For more information about AWS CodeCommit and AWS Key Management Service, see AWS KMS and Encryption.

Authentication Challenge: Authenticity of Host Can't Be Established When Connecting to an AWS CodeCommit Repository

Problem: When you try to use an SSH endpoint to communicate with an AWS CodeCommit repository, a warning message appears containing the phrase The authenticity of host 'host-name' can't be established.

Possible fixes: Your credentials might not be set up correctly. Follow the instructions in For SSH Connections on Linux, macOS, or Unix or For SSH Connections on Windows.

If you have followed those steps and the problem persists, someone might be attempting a man-in-the-middle attack. When you see the following message, type no, and press Enter.

Copy
Are you sure you want to continue connecting (yes/no)?

Make sure the fingerprint and public key for AWS CodeCommit connections match those documented in the SSH setup topics before you continue with the connection.

Configuration Error: Cannot Configure AWS CLI Credentials on macOS

Problem: When you run aws configure to configure the AWS CLI, you see a ConfigParseError message.

Possible fixes: The most common cause for this error is that a credentials file already exists. Browse to ~/.aws and look for a file named credentials. Rename or delete that file, and then run aws configure again.

Console Error: Cannot Browse the Code in an AWS CodeCommit Repository from the Console

Problem: When you try to browse the contents of a repository from the console, an error message appears denying access.

Possible fixes: The most common cause for this error is that an IAM policy applied to your AWS account denies one or more of the permissions required for browsing code from the AWS CodeCommit console. For more information about AWS CodeCommit access permissions and browsing, see Access Permissions Reference.

Git Credentials for AWS CodeCommit: I Keep Seeing a Prompt for Credentials When Connecting to My AWS CodeCommit Repository at the Terminal or Command Line

Problem: When you try to push, pull, or otherwise interact with an AWS CodeCommit repository from the terminal or command line, you are prompted to provide a user name and password, and you must supply the Git credentials for your IAM user.

Possible fixes: The most common causes for this error are that your local computer is running an operating system that does not support credential management, or it does not have a credential management utility installed, or the Git credentials for your IAM user have not been saved to one of these credential management systems. Depending on your operating system and local environment, you might need to install a credential manager, configure the credential manager that is included in your operating system, or customize your local environment to use credential storage. For example, if your computer is running macOS, you can use the Keychain Access utility to store your credentials. If your computer is running Windows, you can use the Git Credential Manager that is installed with Git for Windows. For more information, see For HTTPS Users Using Git Credentials and Credential Storage in the Git documentation.

Git Error: error: RPC failed; result=56, HTTP code = 200 fatal: The remote end hung up unexpectedly

Problem: When pushing a large change, a large number of changes, or a large repository, long-running HTTPS connections are often terminated prematurely due to networking issues or firewall settings.

Possible fixes: Push with SSH instead, or when migrating a large repository, follow the steps in Migrate a Repository in Increments.

Git Error: Too many reference update commands

Problem: The maximum number of reference updates per push is 4,000. This error appears when the push contains more than 4,000 reference updates.

Possible fixes: Try pushing branches and tags individually with git push --all and git push --tags. If you have too many tags, split the tags into multiple pushes. For more information, see Limits.

Git Error: push via HTTPS is broken in some versions of Git

Problem: An issue with the curl update to 7.41.0 causes SSPI-based digest authentication to fail. Known affected versions of Git include 1.9.5.msysgit.1.

Possible fixes: Check your version of Git for known issues or use an earlier or later version. For more information about mysysgit, see Push to HTTPS Is Broken in the GitHub forums.

Git Error: 'gnutls_handshake() failed'

Problem: In Linux, when you try to use Git to communicate with an AWS CodeCommit repository, an error message appears containing the phrase error: gnutls_handshake() failed.

Possible fixes: Compile Git against OpenSSL. For one approach, see "Error: gnutls_handshake() failed" When Connecting to HTTPS Servers in the Ask Ubuntu forums.

Alternatively, use SSH instead of HTTPS to communicate with AWS CodeCommit repositories.

Git Error: Git cannot find the AWS CodeCommit repository or does not have permission to access the repository

Problem: A trailing slash in the connection string can cause connection attempts to fail.

Possible fixes: Make sure that you have provided the correct name and connection string for the repository, and that there are no trailing slashes. For more information, see Connect to a Repository.

Git on Windows: No Supported Authentication Methods Available (publickey)

Problem: After you configure SSH access for Windows, you see an access denied error when you attempt to use commands such as git pull, git push, or git clone.

Possible fixes: The most common cause for this error is that a GIT_SSH environment variable exists on your computer and is configured to support another connection utility, such as PuTTY. To fix this problem, try one of the following:

  • Open a Bash emulator and add the GIT_SSH_COMMAND="ssh" parameter before the Git command. For example, if you are attempting to clone a repository, instead of typing git clone ssh://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo, type:

    Copy
    GIT_SSH_COMMAND="ssh" git clone ssh://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

  • Rename or delete the GIT_SSH environment variable if you are no longer using it. Then open a new command prompt or Bash emulator session, and try your command again.

Git on Windows: Bash Emulator or Command Line Freezes When Attempting to Connect Using SSH

Problem: After you configure SSH access for Windows and confirm connectivity at the command line or terminal, you see a message that the server's host key is not cached in the registry, and the prompt to store the key in the cache is frozen (does not accept y/n/return input) when you attempt to use commands such as git pull, git push, or git clone at the command prompt or Bash emulator.

Possible fixes: The most common cause for this error is that your Git environment is configured to use something other than OpenSSH for authentication (probably PuTTY). This is known to cause problems with the caching of keys in some configurations. To fix this problem, try one of the following:

  • Open a Bash emulator and add the GIT_SSH_COMMAND="ssh" parameter before the Git command. For example, if you are attempting to push to a repository, instead of typing git push, type:

    Copy
    GIT_SSH_COMMAND="ssh" git push

  • If you have PuTTY installed, open PuTTY, and in Host Name (or IP address), type the AWS CodeCommit endpoint you want to reach (for example, git-codecommit.us-east-2.amazonaws.com). Choose Open. When prompted by the PuTTY Security Alert, choose Yes to permanently cache the key.

  • Rename or delete the GIT_SSH environment variable if you are no longer using it. Then open a new command prompt or Bash emulator session, and try your command again.

For other solutions, see Git clone/pull continually freezing at Store key in cache on Stack Overflow.

IAM Error: 'Invalid format' when attempting to add a public key to IAM

Problem: In IAM, when attempting to set up to use SSH with AWS CodeCommit, an error message appears containing the phrase Invalid format when you attempt to add your public key.

Possible fixes: IAM accepts public keys in the OpenSSH format only. If you provide your public key in another format, or if the key does not contain the required number of bits, you will see this error. This problem most commonly occurs when the public/private key pairs are generated on Windows computers. To generate a key pair and copy the OpenSSH format required by IAM, see SSH and Windows: Set Up the Public and Private Keys for Git and AWS CodeCommit.

Git for macOS: I Configured the Credential Helper Successfully, but Now I Am Denied Access to My Repository (403)

Problem: On macOS, the credential helper does not seem to access or use your credentials as expected. This can be caused by two different problems:

  • The AWS CLI is configured for a different AWS region than the one where the repository exists.

  • The Keychain Access utility has saved credentials which have since expired.

Possible fixes: To verify whether the AWS CLI is configured for the correct region, run the aws configure command, and review the displayed information. If the AWS CodeCommit repository is in a different region than the one shown for the AWS CLI, you must run the aws configure command and change the values to the appropriate ones for that region. For more information, see Step 1: Initial Configuration for AWS CodeCommit.

The default version of Git released on OS X and macOS uses the Keychain Access utility to save generated credentials. For security reasons, the password generated for access to your AWS CodeCommit repository is temporary, so the credentials stored in the keychain will stop working after about 15 minutes. If you are only accessing Git with AWS CodeCommit, try the following:

  1. Using Terminal, determine where Git is installed on the local machine:

    Copy
    $ which git /usr/local/git/bin/git
  2. Find your Git configuration file. You can use the Finder utility or you can use the find command with superuser permissions (for example, $ sudo find ~ -name ".gitconfig"). Edit the Git config file:

    Copy
    $ nano /usr/local/git/etc/gitconfig
  3. Comment out the following line of text:

    Copy
    # helper = osxkeychain

If, however, you are accessing other repositories with Git, you can configure the Keychain Access utility so that it does not supply credentials for your AWS CodeCommit repositories. To configure the Keychain Access utility:

  1. Open the Keychain Access utility. (You can use Finder to locate it.)

  2. Search for git-codecommit.us-east-2.amazonaws.com. Highlight the row, open the context (right-click) menu, and then choose Get Info.

  3. Choose the Access Control tab.

  4. In Confirm before allowing access, choose git-credential-osxkeychain, and then choose the minus sign to remove it from the list.

    Note

    After removing git-credential-osxkeychain from the list, you will see a pop-up dialog box whenever you run a Git command. Choose Deny to continue. If you find the pop-ups too disruptive, here are some alternatives:

    • Connect to AWS CodeCommit using SSH instead of HTTPS. For more information, see For SSH Connections on Linux, macOS, or Unix.

    • In the Keychain Access utility, on the Access Control tab for git-codecommit.us-east-2.amazonaws.com, choose the Allow all applications to access this item (access to this item is not restricted) option. This will prevent the pop-ups, but the credentials will eventually expire (on average, this takes about 15 minutes) and you will see a 403 error message. When this happens, you must delete the keychain item in order to restore functionality.

    • Install a version of Git that does not use the keychain by default.

    • Consider a scripting solution for deleting the keychain item. To view a community-generated sample of a scripted solution, see Mac OS X Script to Periodically Delete Cached Credentials in the OS X Certificate Store in Product and Service Integrations.

Git for Windows: I Installed Git for Windows, but I Am Denied Access to My Repository (403)

Problem: On Windows, the credential helper does not seem to access or use your credentials as expected. This can be caused by different problems:

  • The AWS CLI is configured for a different AWS region than the one where the repository exists.

  • By default, Git for Windows installs a Git Credential Manager utility that is not compatible with AWS CodeCommit connections that use the AWS credential helper. When installed, it will cause connections to repository to fail even thought the credential helper has been installed with the AWS CLI and configured for connections to AWS CodeCommit.

  • Some versions of Git for Windows might not be in full compliance with RFC 2617 and RFC 4559, which could potentially cause issues with both Git credentials and the credential helper included with the AWS CLI. For more information, see Version 2.11.0(3) does not ask for username/password.

Possible fixes:

  • If you are attempting to use the credential helper included with the AWS CLI, consider connecting with Git credentials over HTTPS instead of using the credential helper. Git credentials configured for your IAM user are compatible with the Git Credential Manager for Windows, unlike the credential helper for AWS CodeCommit. For more information, see For HTTPS Users Using Git Credentials.

    If you want to use the credential helper, to verify whether the AWS CLI is configured for the correct region, run the aws configure command, and review the displayed information. If the AWS CodeCommit repository is in a different region than the one shown for the AWS CLI, you must run the aws configure command and change the values to the appropriate ones for that region. For more information, see Step 1: Initial Configuration for AWS CodeCommit.

  • If possible, uninstall and reinstall Git for Windows. When installing Git for Windows, clear the check box for the option for installing the Git Credential Manager utility. This credential manager is not compatible with the credential helper for AWS CodeCommit. If you installed the Git Credential Manager or another credential management utility and you do not want to uninstall it, you can modify your .gitconfig file and add specific credential management for AWS CodeCommit:

    1. Open Control Panel, choose Credential Manager, and remove any stored credentials for AWS CodeCommit.

    2. Open your .gitconfig file in any plain-text editor, such as Notepad.

      Note

      If you work with multiple Git profiles, you might have both local and global .gitconfig files. Be sure to edit the appropriate file.

    3. Add the following section to your .gitconfig file:

      Copy
      [credential "https://git-codecommit.*.amazonaws.com"] helper = !aws codecommit credential-helper $@ UseHttpPath = true
    4. Save the file, and then open a new command line session before you attempt to connect again.

    You can also use this approach if you want to use the credential helper for AWS CodeCommit when connecting to AWS CodeCommit repositories and another credential management system when connecting to other hosted repositories, such as GitHub repositories.

    To reset which credential helper is used as the default, you can use the --system option instead of --global or --local when running the git config command.

  • If you are using Git credentials on a Windows computer, you can try to work around any RFC noncompliance issues by including your Git credential user name as part of the connection string. For example, to work around the issue and clone a repository named MyDemoRepo in the US East (Ohio) region:

    Copy
    git clone https://Your-Git-Credential-Username@git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

    Note

    This approach will not work if you have an @ character in your Git credentials username. You must URL encode (also known as URL escaping or percent-encoding) the character before it will work.

Trigger Error: A Repository Trigger Does Not Run When Expected

Problem: One or more triggers configured for a repository does not appear to run or does not run as expected.

Possible fixes: If the target of the trigger is a AWS Lambda function, make sure you have configured the function's resource policy for access by AWS CodeCommit. For more information, see Create a Policy for AWS Lambda Integration.

Alternatively, edit the trigger and make sure the events for which you want to trigger actions have been selected and that the branches for the trigger include the branch where you want to see responses to actions. Try changing the settings for the trigger to All repository events and All branches and then testing the trigger. For more information, see Edit Triggers for a Repository.

Turn on Debugging

Problem: I want to turn on debugging to get more information about my repository and how Git is executing commands.

Possible fixes: Try the following:

  1. At the terminal or command prompt, run the following commands on your local machine before running Git commands:

    On Linux, macOS, or Unix:

    Copy
    export GIT_TRACE_PACKET=1 export GIT_TRACE=1 export GIT_CURL_VERBOSE=1

    On Windows:

    Copy
    set GIT_TRACE_PACKET=1 set GIT_TRACE=1 set GIT_CURL_VERBOSE=1

    Note

    Setting GIT_CURL_VERBOSE is useful for HTTPS connections only. SSH does not use the libcurl library.

  2. To get more information about your Git repository, create a shell script similar to the following, and then run the script:

    Copy
    #!/bin/sh gc_output=`script -q -c 'git gc' | grep Total` object_count=$(echo $gc_output | awk -F ' |\(|\)' '{print $2}') delta_count=$(echo $gc_output | awk -F ' |\(|\)' '{print $5}') verify_pack_output=`git verify-pack -v objects/pack/pack-*.pack .git/objects/pack/pack-*.pack 2>/dev/null` largest_object=$(echo "$verify_pack_output" | grep blob | sort -k3nr | head -n 1 | awk '{print $3/1024" KiB"}') largest_commit=$(echo "$verify_pack_output" | grep 'tree\|commit\|tag' | sort -k3nr | head -n 1 | awk '{print $3/1024" KiB"}') longest_delta_chain=$(echo "$verify_pack_output" | grep chain | tail -n 1 | awk -F ' |:' '{print $4}') branch_count=`git branch -a | grep remotes/origin | grep -v HEAD | wc -l` if [ $branch_count -eq 0 ]; then branch_count=`git branch -l | wc -l` fi echo "Size: `git count-objects -v | grep size-pack | awk '{print $2}'` KiB" echo "Branches: $branch_count" echo "Tags: `git show-ref --tags | wc -l`" echo "Commits: `git rev-list --all | wc -l`" echo "Objects: $object_count" echo "Delta objects: $delta_count" echo "Largest blob: $largest_object" echo "Largest commit/tag/tree: $largest_commit" echo "Longest delta chain: $longest_delta_chain"
  3. If these steps do not provide enough information for you to resolve the issue on your own, ask for help on the AWS CodeCommit forum. Be sure to include relevant output from these steps in your post.

On this page: