Menu
I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.
All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.
I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?
The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.
975
On the group summary page, choose the Users tab, and then choose Add Users to Group. On the list that shows all users associated with your Amazon Web Services account, select the boxes next to the users to whom you want to allow access to the CodeCommit repository, and then choose Add Users.
Access to AWS CodeCommit requires credentials. Those credentials must have permissions to access AWS resources, such as CodeCommit repositories, and your IAM user, which you use to manage your Git credentials or the SSH public key that you use for making Git connections.
No, unfortunately it is not currently possible to configure AWS CodeCommit repositories to be public. They can only be accessed by users setup in IAM policies and groups. Github and Bitbucket allow you to host public repositories.
To connect to a CodeCommit repositoryOpen the CodeCommit console at https://console.aws.amazon.com/codesuite/codecommit/home . In the region selector, choose the AWS Region where the repository was created. Repositories are specific to an AWS Region. For more information, see Regions and Git connection endpoints.
AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.
git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $@'
For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:
git config --global credential.helper '!aws --profile saml codecommit credential-helper $@'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
