AWS CodeCommit is no longer available to new customers. Existing customers of
AWS CodeCommit can continue to use the service as normal.
Learn more"
Using AWS CodeCommit with interface VPC endpoints
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and CodeCommit. You can use this connection to enable CodeCommit to communicate with your resources on your VPC without going through the public internet.
Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. With VPC endpoints, the routing between the VPC and AWS services is handled by the AWS network, and you can use IAM policies to control access to service resources.
To connect your VPC to CodeCommit, you define an interface VPC endpoint for CodeCommit. An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported AWS service. The endpoint provides reliable, scalable connectivity to CodeCommit without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see What Is Amazon VPC in the Amazon VPC User Guide.
Note
Other AWS services that provide VPC support and integrate with CodeCommit, such as AWS CodePipeline, might not support using Amazon VPC endpoints for that integration. For example, traffic between CodePipeline and CodeCommit cannot be restricted to the VPC subnet range. Services that do support integration, such as AWS Cloud9, might require additional services such as AWS Systems Manager.
Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that
enables private communication between AWS services using an elastic network interface with
private IP addresses. For more information, see AWS PrivateLink
The following steps are for users of Amazon VPC. For more information, see Getting Started in the Amazon VPC User Guide.
Availability
CodeCommit currently supports VPC endpoints in the following AWS Regions:
-
US East (Ohio)
-
US East (N. Virginia)
-
US West (N. California)
-
US West (Oregon)
-
Europe (Ireland)
-
Europe (London)
-
Europe (Paris)
-
Europe (Frankfurt)
Europe (Stockholm)
Europe (Milan)
Africa (Cape Town)
Israel (Tel Aviv)
-
Asia Pacific (Tokyo)
-
Asia Pacific (Singapore)
-
Asia Pacific (Sydney)
-
Asia Pacific (Jakarta)
-
Middle East (UAE)
-
Asia Pacific (Seoul)
Asia Pacific (Osaka)
-
Asia Pacific (Mumbai)
-
Asia Pacific (Hyderabad)
Asia Pacific (Hong Kong)
-
South America (São Paulo)
Middle East (Bahrain)
-
Canada (Central)
-
China (Beijing)
-
China (Ningxia)
-
AWS GovCloud (US-West)
-
AWS GovCloud (US-East)
Create VPC endpoints for CodeCommit
To start using CodeCommit with your VPC, create an interface VPC endpoint for CodeCommit. CodeCommit requires separate endpoints for Git operations and for CodeCommit API operations. Depending on your business needs, you might need to create more than one VPC endpoint. When you create a VPC endpoint for CodeCommit, choose AWS Services, and in Service Name, choose from the following options:
com.amazonaws.
region
.git-codecommit: Choose this option if you want to create a VPC endpoint for Git operations with CodeCommit repositories. For example, choose this option if your users use a Git client and commands such asgit pull
,git commit
, andgit push
when they interact with CodeCommit repositories.com.amazonaws.
region
.git-codecommit-fips: Choose this option if you want to create a VPC endpoint for Git operations with CodeCommit repositories that complies with the Federal Information Processing Standard (FIPS) Publication 140-2 US government standard.Note
FIPS endpoints for Git are not available in all AWS Regions. For more information, see Git connection endpoints.
com.amazonaws.
region
.codecommit: Choose this option if you want to create a VPC endpoint for CodeCommit API operations. For example, choose this option if your users use the AWS CLI, the CodeCommit API, or the AWS SDKs to interact with CodeCommit for operations such asCreateRepository
,ListRepositories
, andPutFile
.com.amazonaws.
region
.codecommit-fips: Choose this option if you want to create a VPC endpoint for CodeCommit API operations that complies with the Federal Information Processing Standard (FIPS) Publication 140-2 US government standard.Note
FIPS endpoints are not available in all AWS Regions. For more information, see the entry for AWS CodeCommit in Federal Information Processing Standard (FIPS) 140-2 Overview
.
Create a VPC endpoint policy for CodeCommit
You can create a policy for Amazon VPC endpoints for CodeCommit in which you can specify:
The principal that can perform actions.
The actions that can be performed.
The resources that can have actions performed on them.
For example, a company might want to restrict access to repositories to the network
address range for a VPC. You can view an example of this kind of policy here: Example 3: Allow a user
connecting from a specified IP address range access to a repository . The company configured two Git VPC
endpoints for the US East (Ohio) region:
com.amazonaws.us-east-2.codecommit
and
com-amazonaws.us-east-2.git-codecommit-fips
. They want to allow code
pushes to a CodeCommit repository named MyDemoRepo
only on the
FIPS-compliant endpoint only. To enforce this, they would configure a policy similar to
the following on the com.amazonaws.us-east-2.codecommit
endpoint that
specifically denies Git push actions:
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" }, { "Action": "codecommit:GitPush", "Effect": "Deny", "Resource": "arn:aws:codecommit:us-east-2:
123456789012
:MyDemoRepo
", "Principal": "*" } ] }
Important
The global condition key aws:VpcSourceIp
is not supported CodeCommit
repositories in IAM policies for git push
commands.
For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide.