Connecting to AWS CodeCommit repositories with rotating credentials - AWS CodeCommit

Connecting to AWS CodeCommit repositories with rotating credentials

You can give users access to your AWS CodeCommit repositories without configuring IAM users for them or using an access key and secret key. Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated users and roles in the IAM User Guide. You can also configure role-based access for IAM users to access CodeCommit repositories in separate AWS accounts (a technique known as cross-account access). For a walkthrough of configuring cross-account access to a repository, see Configure cross-account access to an AWS CodeCommit repository using roles.

You can configure access for users who want or must authenticate through methods such as:

  • Security Assertion Markup Language (SAML)

  • Multi-factor authentication (MFA)

  • Federation

  • Login with Amazon

  • Amazon Cognito

  • Facebook

  • Google

  • OpenID Connect (OIDC)-compatible identity provider


The following information applies only to the use of git-remote-codecommit or the AWS CLI credential helper to connect to CodeCommit repositories. Because the recommended approach for temporary or federated access to CodeCommit is to set up git-remote-codecommit, this topic provides examples using that utility. For more information, see Setup steps for HTTPS connections to AWS CodeCommit with git-remote-codecommit.

You cannot use SSH or Git credentials and HTTPS to connect to CodeCommit repositories with rotating or temporary access credentials.

You do not need to complete these steps if all of the following requirements are true:

Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to CodeCommit on your behalf.


You can configure and use git-remote-codecommit on Amazon EC2 instances.

To give users temporary access to your CodeCommit repositories, complete the following steps.

Step 1: Complete the prerequisites

Complete the setup steps to provide a user with access to your CodeCommit repositories using rotating credentials:

Use the information in Authentication and access control for AWS CodeCommit to specify the CodeCommit permissions you want to grant the user.

Step 2: Get role name or access credentials

If you want your users to access repositories by assuming a role, provide your users with the Amazon Resource Name (ARN) of that role. Otherwise, depending on the way you set up access, your user can get rotating credentials in one of the following ways:

Step 3: Install git-remote-codecommit and configure the AWS CLI

You must configure your local computer to use the access credentials by installing git-remote-codecommit and configuring a profile in the AWS CLI.

  1. Follow the instructions in Setting up to set up the AWS CLI. Use the aws configure command to configure one or more profiles. Consider creating a named profile to use when you connect to CodeCommit repositories using rotating credentials.

  2. You can associate the credentials with the user's AWS CLI named profile in one of the following ways.

    • If you are assuming a role to access CodeCommit, configure a named profile with the information required to assume that role. For example, if you want to assume a role named CodeCommitAccess in the AWS account 111111111111, you can configure a default profile to use when working with other AWS resources and a named profile to use when assuming that role. The following commands create a named profile named CodeAccess that assumes a role named CodeCommitAccess. The user name Maria Garcia is associated with the session and the default profile is set as the source of its AWS credentials:

      aws configure set role_arn arn:aws:iam:::111111111111:role/CodeCommitAccess --profile CodeAccess aws configure set source_profile default --profile CodeAccess aws configure set role_session_name "Maria Garcia" --profile CodeAccess

      If you want to verify the changes, manually view or edit the ~/.aws/config file (for Linux) or the\config file (for Windows) and review the information under the named profile. For example, your file might look similar to the following:

      [default] region = us-east-1 output = json [profile CodeAccess] source_profile = default role_session_name = Maria Garcia role_arn = arn:aws:iam:::111111111111:role/CodeCommitAccess

      After you have configured your named profile, you can then clone CodeCommit repositories with the git-remote-codecommit utility using the named profile. For example, to clone a repository named MyDemoRepo:

      git clone codecommit://CodeAccess@MyDemoRepo
    • If you are using web identity federation and OpenID Connect (OIDC), configure a named profile that makes the AWS Security Token Service (AWS STS) AssumeRoleWithWebIdentity API call on your behalf to refresh temporary credentials. Use the aws configure set command or manually edit the ~/.aws/credentials file (for Linux) or the\credentials file (for Windows) to add an AWS CLI named profile with the required setting values. For example, to create a profile that assumes the CodeCommitAccess role and uses a web idenity token file ~/my-credentials/my-token-file:

      [CodeCommitWebIdentity] role_arn = arn:aws:iam:::111111111111:role/CodeCommitAccess web_identity_token_file=~/my-credentials/my-token-file role_session_name = Maria Garcia

    For more information, see Configuring the AWS Command Line Interface and Using an IAM Role in the AWS CLI in the AWS Command Line Interface User Guide.

Step 4: Access the CodeCommit repositories

Assuming your user has followed the instructions in Connect to a repository to connect to the CodeCommit repositories, the user then uses the extended functionality provided by git-remote-codecommit and Git to call git clone, git push, and git pull to clone, push to, and pull from, the CodeCommit repositories to which he or she has access. For example, to clone a repository:

git clone codecommit://CodeAccess@MyDemoRepo

Git commit, push, and pull commands use regular Git syntax.

When the user uses the AWS CLI and specifies the AWS CLI named profile associated with the rotating access credentials, results scoped to that profile are returned.