8

I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.

All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.

I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?

The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.

Conor Boyd
  • 1,024
  • 7
  • 15

2 Answers2

8

AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default

You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.

git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $@'

For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:

git config --global credential.helper '!aws --profile saml codecommit credential-helper $@'
Clare Liguori
  • 1,564
  • 11
  • 10
  • +1 Great help thanks, your advice got me most of the way there. Actually needed to install the AWS Tools and run the git-credential-AWSS4.exe tool instead of your git config call to install the credential helper correctly. – Conor Boyd Nov 18 '15 at 01:16
  • when I follow the above procedure and try to execute a git clone, I am prompted for a username and password. I am unsure of which one to use. Any tips? – hynespm Nov 08 '17 at 15:56
  • once I do adfs SSO, I was getting prompted for username and password too. Then I did sudo pip install git-remote-codecommit and git clone codecommit://CodeCommitProfile@MyDemoRepo my-demo-repo which works fine – codelogn Aug 04 '21 at 18:48
3

For OSX

  1. Install git and AWS cli

  2. Configure AWS cli credentials:

    aws configure

  3. Setup the my-profile profile that contains a role to be assumed by modifying your ~/.aws/credentials file. Note that an admin should create this role in the AWS account that owns the CodeCommit repos and the role should put your account as a trustee and have enough CodeCommit permissions

    [my-profile]
role_arn = ARN_OF_THE_ROLE_TO_BE_ASSUMED
source_profile = default

  4. Double check your region config in ~/.aws/config :

    [default]
region = us-east-1

Configure git to use AWS CLI profile during clone/push/pull/etc... operations. Note the use of my-profile as the profile name to use which in turn is assuming a role as we already discuss

 git config --global credential.helper '!aws --profile "my-profile" codecommit credential-helper $@'
 git config --global credential.UseHttpPath true

You should be able to perform git operations against CodeCommit repos belonging to the AWS parent account using http endpoints

Bruno Bronosky
  • 66,273
  • 12
  • 162
  • 149
  • How do you set up the role and give the account as a trustee ? – lft93ryt Apr 21 '18 at 07:53
  • 1
    In IAM --> Roles choose "Create Role". Select "Another Account", put that trustee account id in the box. Also, dont forget to add proper permissions to this role via a Policy. For a quick test , just select AWS managed policy "AWSCodeCommitReadOnly " (in PRD, should limit this to the specific repos you want) –  May 20 '18 at 14:37