set up each local CodeCommit repository clone to use a specific
cross-account IAM role with git clone --config and aws codecommit credentials-helper
2020-03-06 UPDATE! Amazon has released a git helper that replaces much of this article. Check this out:
https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html
When I started testing AWS CodeCommit, I used the Git ssh protocol with uploaded ssh keys to provide access, because this is the Git access mode I’m most familiar with. However, using ssh keys requires each person to have an IAM user in the same AWS account as the CodeCommit Git repository.
In my personal and work AWS usage, each individual has a single IAM user in a master AWS account, and those users are granted permission to assume cross-account IAM roles to perform operations in other AWS accounts. We cannot use the ssh method to access Git repositories in other AWS accounts, as there are no IAM users in those accounts.
AWS CodeCommit comes to our rescue with an alternative https access
method that supports Git Smart HTTP, and the aws-cli
offers a credential-helper feature that integrates with the git
client to authenticate Git requests to the CodeCommit service.
In my tests, this works perfectly with cross-account IAM roles. After
the initial git clone command, there is no difference in how git is
used compared to the ssh access method.
Most of the aws codecommit credential-helper examples I’ve seen
suggest you set up a git config --global setting before cloning a
CodeCommit repository. A couple even show how to restrict the config
to AWS CodeCommit repositories only so as to not interfere with GitHub
and other repositories. (See “Resoures” below)
I prefer to have the configuration associated with the specific Git
repositories that need it, not in the global setting file. This is
possible by passing in a couple --config parameters to the git clone command.