AWS CodeCommit using SSO
Using this method, you can quickly and easily switch between GIT repositories owned by different groups or even managed in separate AWS accounts.
- User access is controlled with federated login via AWS SSO
- You can grant access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys.
- Allows the administrator to control access by adding or removing the user’s IAM role access
(!) This guide assumes you already have SSO access and permissions setup
There are prerequisites to be installed on the local machine.
- Python 3.6 or higher installed on the developer’s local machine.
- Git installed on your local machine.
- To download Git, see Git Downloads.
- PIP version 9.0.3 or higher installed on your local machine.
- For instructions, see Installation on the PIP website.
- AWS CLI - AWS Command Line Interface - AWS CLI v2 can easily be installed on most standard platforms:
- MacOS pkg installer
- Linux executable installer
- Windows MSI installer
- You can find more detailed installation instructions here
Enabling AWS SSO login
Enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.
- Run the following command from the AWS CLI.
aws configure sso SSO start URL [None]: <https://mydomain-aws.awsapps.com/start> SSO region [None]: ap-southeast-2
- You’re redirected to your default browser.
- Sign in and you should see the following
- When you return to the CLI, you must choose your account. See the following code example:
There are 2 AWS accounts available to you. > DeveloperResearch, firstname.lastname@example.org (123456789123) DeveloperTrading, email@example.com (123456789444)
- Choose the account with your CodeCommit repository; e.g. Pick DeveloperResearch
DeveloperResearch, firstname.lastname@example.org (123456789123)
- Next, you see the permissions sets available to you in the account you just picked
Using the account ID 123456789123 There are 2 roles available to you. > ReadOnly CodeCommitDeveloperAccess
- Enter the following
CLI default client Region [None]: ap-southeast-2<ENTER> CLI default output format [None]: json<ENTER> CLI profile name [123456789011_ReadOnly]: DevResearch-profile<ENTER>
Repeat these steps for each AWS account you want to access.
~/user/.aws/configfile will look something like the following:-
[profile DevResearch] sso_start_url = https://domain-aws.awsapps.com/start sso_region = ap-southeast-2 sso_account_id = 123456789123 sso_role_name = DeveloperResearch region = ap-southeast-2 output = json
(i) Now that we have CLI and SSO installed and set up, we just need to install the recently released git-remote-codecommit and start working with our Git repositories!
Install git-remote-codecommit with the following code:
pip install git-remote-codecommit
Clone the code from one of your repositories. For this use case, my CodeCommit repository is named
git clone codecommit://DevResearch@aws-foo-repo aws-foo-repo Cloning into 'aws-foo-repo'... remote: Counting objects: 4597, done. Receiving objects: 100% (4597/4597), 19.84 MiB | 2.61 MiB/s, done. Resolving deltas: 100% (2910/2910), done.
You can also now perform CLI using --profile DevResearch; e.g.
aws s3 ls --profile DevResearch
You can also integrate into VisualStudio Code