Access to AWS CodeCommit by federated users
AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.
git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $@'
For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:
git config --global credential.helper '!aws --profile saml codecommit credential-helper $@'
For OSX
- Install git and AWS cli
Configure AWS cli credentials:
aws configureSetup the my-profile profile that contains a role to be assumed by modifying your ~/.aws/credentials file. Note that an admin should create this role in the AWS account that owns the CodeCommit repos and the role should put your account as a trustee and have enough CodeCommit permissions
[my-profile] role_arn = ARN_OF_THE_ROLE_TO_BE_ASSUMED source_profile = defaultDouble check your region config in ~/.aws/config :
[default] region = us-east-1
Configure git to use AWS CLI profile during clone/push/pull/etc... operations. Note the use of my-profile as the profile name to use which in turn is assuming a role as we already discuss
git config --global credential.helper '!aws --profile "my-profile" codecommit credential-helper $@'
git config --global credential.UseHttpPath true
You should be able to perform git operations against CodeCommit repos belonging to the AWS parent account using http endpoints