Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access to AWS CodeCommit by federated users

I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.

All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.

I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?

The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.

like image 975
3 revs, 3 users 93% Avatar asked Nov 16 '15 03:11

3 revs, 3 users 93%


People also ask

How do you give someone access to CodeCommit?

On the group summary page, choose the Users tab, and then choose Add Users to Group. On the list that shows all users associated with your Amazon Web Services account, select the boxes next to the users to whom you want to allow access to the CodeCommit repository, and then choose Add Users.

How do I access my AWS CodeCommit?

Access to AWS CodeCommit requires credentials. Those credentials must have permissions to access AWS resources, such as CodeCommit repositories, and your IAM user, which you use to manage your Git credentials or the SSH public key that you use for making Git connections.

Can CodeCommit be public?

No, unfortunately it is not currently possible to configure AWS CodeCommit repositories to be public. They can only be accessed by users setup in IAM policies and groups. Github and Bitbucket allow you to host public repositories.

How do I connect to CodeCommit repository?

To connect to a CodeCommit repositoryOpen the CodeCommit console at https://console.aws.amazon.com/codesuite/codecommit/home . In the region selector, choose the AWS Region where the repository was created. Repositories are specific to an AWS Region. For more information, see Regions and Git connection endpoints.


1 Answers

AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default

You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.

git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $@'

For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:

git config --global credential.helper '!aws --profile saml codecommit credential-helper $@'
like image 79
Clare Liguori Avatar answered Sep 28 '22 06:09

Clare Liguori