NPM Install Failing on CodeBuild while trying to pull from private Codecommit repo

Question

One of my repo's in codecommit is trying to pull from another of my codecommit repos.

Inside the first repo's package.json there is the dependency:

"dependencies": {
      "repo-2": "git+https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/repo-2.git#TAG"
}

My codebuild is throwing the error when attempting to npm install (codebuild is using nodejs12):

npm ERR! Command failed: git clone --mirror -q https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/repo-2.git 
   /root/.npm/_cacache/tmp/git-clone-3d2bf4b6/.git
npm ERR! warning: templates not found in /tmp/pacote-git-template-tmp/git-clone-7cae5b66
npm ERR! 
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2021-01-26T11_58_45_260Z-debug.log

I've made sure to give the correct permissions in my policy:

      - Sid: CodeCommitRepoAccess
        Effect: Allow
        Action:
          - codecommit:GetRepository
          - codecommit:GitPull
          - codecommit:GetFolder
        Resource: 
          - arn:aws:codecommit:eu-west-1:*
      - Sid: CodeCommitListRepos
        Effect: Allow
        Action:
          - codecommit:ListRepositories
        Resource: "*" 

And I've added in the git-credential helper in the buildspec.yaml:

env:
   git-credential-helper: yes

I'm really at a loss about why this is failing, and the error message isn't giving me any ideas of what needs fixing. Perhaps I have the missed some permissions in the policy? - but as its not a 403 error I'm not sure. I can npm install locally on my machine without any issues.

EDIT: To actually be clearer, I am trying to build from repo-1, which has a dependencies on repo-2 and repo-3. Additionally, repo-2 has a dependency on repo-3 as well. I tried running npm install without the nested private repository (removed it from the package.json as a test) but the build still failed the same way.

UPDATE: I added the line git ls-remote -h -t https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/repo-2.gitto my buildspec and this correctly returns the branches/tags in repo-2, so permissions look fine.

Answer 1

Answer in case anyone has the same issue:

Adding in the following to my buildspec under the install phase solved the issue:

      - git config --global credential.helper '!aws codecommit credential-helper $@'
      - git config --global credential.UseHttpPath true

I also needed to remove the git-credential helper from my build spec:

env:
    git-credential-helper: yes

I think what what was causing the issue was that the npm install was not picking up the git-credential helper when it was set with env, but did get picked when it was set explicitly.