Why Use IAM?
AWS CodeCommit supports the traditional HTTP or SSH authentication mechanisms used with most Git deployments. Being an AWS service CodeCommit is also integrated with IAM and there are several advantages to using IAM for authentication over HTTP or SSH.
- Using HTTP or SSH authentication with CodeCommit requires those credentials configured on an IAM user in the same AWS account as the Git repo. This prevents you from following the best practice of having an account just dedicated to managing your users.
- IAM authentication provides all the robust features you are used to when managing access to AWS services, such as cross account access, federated access, require MFA or use of IAM conditionals.
- Using HTTP or SSH authentication requires yet another credential your users will have to manage. Most organizations that adopt AWS have provided their developers IAM credentials. Using those same credentials simplifies things for everyone involved.
The AWS documentation mostly focuses on using HTTP or SSH authentication and only discusses using IAM authentication when needing to support cross account or federated access. Given that, the best practice is for IAM users be in a dedicated account so that all access should be cross account access. But IAM authentication can, and should, still be used even if the IAM user is in the same account as the Git repo.
Configuring Git to use IAM Credentials
Git supports credential helpers that can be used to provide username and password information to Git when performing commands against remote repos. AWS CLI can act as a Git credential helper. This means when a Git command is performed against a remote repo the AWS CLI is called and generates a username and password to be used for that command.
Configuring Git to use the AWS CLI as a credential helper is done as follows:
git config –global credential.helper \
‘!aws codecommit credential-helper $@’
git config –global credential.UseHttpPath true
The command above assumes your default AWS Credentials profile has access to the Git repo. If that is not the case, then you can specify the “—profile <AWS CREDS PROFILE>” argument to use another profile that has access.
Access in Action
In this example I have a Git repo named demo-repo in which we will clone, commit a new file and then push the commit. I have an IAM user in a dedicated account and will be using a cross account role to access the Git repo located in another AWS account. My shared credentials file looks something like this:
aws_access_key_id = <SNIP>
aws_secret_access_key = <SNIP>
region = us-west-2
role_arn = arn:aws:iam::123456789012:role/DemoRepoAccess
source_profile = default
region = us-west-2
I can use the AWS CLI to confirm the git-access profile has access to the repo:
$ aws codecommit list-repositories –profile git-access
I’ll now configure Git to use the AWS CLI as a credential’s helper utilizing the git-access profile.
$ git config –global credential.helper \
‘!aws codecommit credential-helper \
–profile git-access $@’
$ git config –global credential.UseHttpPath true
Once this is done I can clone the repo, add a file and push the commit
$ git clone https://git-codecommit.us-west-2.amazonaws.com/v1/
Cloning into ‘demo-repo’…
remote: Counting objects: 24, done.
Unpacking objects: 100% (24/24), done.
$ cd demo-repo/
$ echo “update” > new_file.txt
$ git add new_file.txt
$ git commit -m “adding new file”
[master fff4e77] adding new file
1 file changed, 1 insertion(+)
create mode 100644 new_file.txt
$ git push
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 289 bytes | 289.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
3c2c43d..fff4e77 master -> master
Contact our Cloud Services team if you are looking to implement a CI/CD pipeline on AWS. We can give you an overview of AWS DevOps services, setup a Proof of Concept and get you up and running in production quickly and efficiently.