AWS CodeCommit
User Guide (API Version 2015-04-13)

Authentication and Access Control for AWS CodeCommit

Access to AWS CodeCommit requires credentials. Those credentials must have permissions to access AWS resources, such as CodeCommit repositories, and your IAM user, which you use to manage your Git credentials or the SSH public key that you use for making Git connections. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and CodeCommit to help secure access to your resources:


Because CodeCommit repositories are Git-based and support the basic functionality of Git, including Git credentials, we recommend that you use an IAM user when working with CodeCommit. You can access CodeCommit with other identity types, but the other identity types are subject to limitations, as described below.

Identity types:

  • IAM user – An IAM user is simply an identity within your AWS account that has specific custom permissions. For example, an IAM user can have permissions to create and manage Git credentials for accessing CodeCommit repositories. This is the recommended user type for working with CodeCommit. You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

    You can generate Git credentials or associate SSH public keys with your IAM user. These are the easiest ways to set up Git to work with your CodeCommit repositories. With Git credentials, you generate a static user name and password in IAM. You then use these credentials for HTTPS connections with Git and any third-party tool that supports Git user name and password authentication. With SSH connections, you create public and private key files on your local machine that Git and CodeCommit use for SSH authentication. You associate the public key with your IAM user, and you store the private key on your local machine.

    In addition, you can generate access keys for each user. Use access keys when you access AWS services programmatically, either through one of the AWS SDKs or by using the AWS Command Line Interface (AWS CLI). The SDK and CLI tools use the access keys to cryptographically sign your requests. If you don’t use the AWS tools, you must sign the requests yourself. CodeCommit supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the AWS General Reference.

  • AWS account root user – When you sign up for AWS, you provide an email address and password that is associated with your AWS account. These are your root credentials, and they provide complete access to all of your AWS resources. Certain CodeCommit features are not available for root account users. In addition, the only way to use Git with your root account is to configure the AWS credential helper, which is included with the AWS CLI. You cannot use Git credentials or SSH public-private key pairs with your root account user. For these reasons, we do not recommend using your root account user when interacting with CodeCommit.


    For security reasons, we recommend that you use the root credentials only to create an administrator user, which is an IAM user with full permissions to your AWS account. Then, you can use this administrator user to create other IAM users and roles with limited permissions. For more information, see IAM Best Practices and Creating an Admin User and Group in the IAM User Guide.

  • IAM role – Like an IAM user, an IAM role is an IAM identity that you can create in your account to grant specific permissions. It is similar to an IAM user, but it is not associated with a specific person. Unlike an IAM user identity, you cannot use Git credentials or SSH keys with this identity type. However, an IAM role enables you to obtain temporary access keys that you can use to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use preexisting user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.


      You cannot use Git credentials or SSH public-private key pairs with federated users. In addition, user preferences are not available for federated users.

    • Cross-account access – You can use an IAM role in your account to grant another AWS account permissions to access your account’s resources. For an example, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.

    • AWS service access – You can use an IAM role in your account to grant an AWS service permissions to access your account’s resources. For example, you can create a role that allows AWS Lambda to access a CodeCommit repository on your behalf. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

    • Applications running on Amazon EC2 – Instead of storing access keys within an EC2 instance for use by applications running on the instance and for making AWS API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an AWS role to an EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access CodeCommit resources. For example, you must have permissions to view repositories, push code, create and manage Git credentials, and so on.

The following sections describe how to manage permissions for CodeCommit. We recommend that you read the overview first.