AWS CodeCommit
User Guide (API Version 2015-04-13)

Temporary Access to AWS CodeCommit Repositories

You can allow users temporary access to your AWS CodeCommit repositories. For example, you might do this to allow IAM users to access AWS CodeCommit repositories in separate AWS accounts (a technique known as cross-account access). For a walkthrough of configuring cross-account access to a repository, see Configure Cross-Account Access to an AWS CodeCommit Repository.

You can also configure access for users who want or must authenticate through methods such as:

  • Security Assertion Markup Language (SAML)

  • Multi-factor authentication (MFA)

  • Federation

  • Login with Amazon

  • Amazon Cognito

  • Facebook

  • Google

  • OpenID Connect (OIDC)-compatible identity provider


The following information applies only to the use of the AWS CLI credential helper to connect to AWS CodeCommit repositories. You cannot use SSH or Git credentials and HTTPS to connect to AWS CodeCommit repositories with temporary access credentials.

To give users temporary access to your AWS CodeCommit repositories, complete the following steps.

Do not complete these steps if all of the following requirements are true:

Amazon EC2 instances that meet the preceding requirements are already set up to communicate temporary access credentials to AWS CodeCommit on your behalf.

Step 1: Complete the Prerequisites

Complete the setup steps to provide a user with temporary access to your AWS CodeCommit repositories:

Use the information in Authentication and Access Control for AWS CodeCommit to specify the AWS CodeCommit permissions you want to temporarily grant the user.

Step 2: Get Temporary Access Credentials

Depending on the way you set up temporary access, your user can get temporary access credentials in one of the following ways:

Your user should receive a set of temporary access credentials, which include an AWS access key ID, a secret access key, and a session token. Your user should make a note of these three values because they are used in the next step.

Step 3: Configure the AWS CLI with Your Temporary Access Credentials

Your user must configure the development machine to use those temporary access credentials.

  1. Follow the instructions in Setting Up to set up the AWS CLI. Use the aws configure command to configure a profile.


    Before you continue, make sure the git config file is configured to use the AWS profile you configured in the AWS CLI.

  2. You can associate the temporary access credentials with the user's AWS CLI named profile in one of the following ways. Do not use the aws configure command.

    • In the ~/.aws/credentials file (for Linux) or the\credentials file (for Windows), add to the user's AWS CLI named profile the aws_access_key_id, aws_secret_access_key, and aws_session_token setting values:

      [CodeCommitProfileName] aws_access_key_id=TheAccessKeyID aws_secret_access_key=TheSecretAccessKey aws_session_token=TheSessionToken


    • Set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables:

      For Linux, macOS, or Unix:

      export AWS_ACCESS_KEY_ID=TheAccessKey export AWS_SECRET_ACCESS_KEY=TheSecretAccessKey export AWS_SESSION_TOKEN=TheSessionToken

      For Windows:

      set AWS_ACCESS_KEY_ID=TheAccessKey set AWS_SECRET_ACCESS_KEY=TheSecretAccessKey set AWS_SESSION_TOKEN=TheSessionToken

    For more information, see Configuring the AWS Command Line Interface in the AWS Command Line Interface User Guide.

  3. Set up the Git credential helper with the AWS CLI named profile associated with the temporary access credentials.

    As you follow these steps, do not call the aws configure command. You already specified temporary access credentials through the credentials file or the environment variables. If you use environment variables instead of the credentials file, in the Git credential helper, specify default as the profile name.

Step 4: Access the AWS CodeCommit Repositories

Assuming your user has followed the instructions in Connect to a Repository to connect to the AWS CodeCommit repositories, the user then uses Git to call git clone, git push, and git pull to clone, push to, and pull from, the AWS CodeCommit repositories to which he or she has temporary access.

When the user uses the AWS CLI and specifies the AWS CLI named profile associated with the temporary access credentials, results scoped to that profile are returned.

If the user receives the 403: Forbidden error in response to calling a Git command or a command in the AWS CLI, it's likely the temporary access credentials have expired. The user must go back to step 2 and get a new set of temporary access credentials.