Conecting to AWS CodeCommit using SSO

AWS CodeCommit using SSO

Using this method, you can quickly and easily switch between GIT repositories owned by different groups or even managed in separate AWS accounts.

  • User access is controlled with federated login via AWS SSO
  • You can grant access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys.
  • Allows the administrator to control access by adding or removing the user’s IAM role access

Overview

1ArchDiagram.png SRC: https://aws.amazon.com/blogs/devops/federated-multi-account-access-for-aws-codecommit/

(!) This guide assumes you already have SSO access and permissions setup

Instructions

There are prerequisites to be installed on the local machine.

Prerequisites

Enabling AWS SSO login

Enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.

  1. Run the following command from the AWS CLI.
aws configure sso
SSO start URL [None]: <https://mydomain-aws.awsapps.com/start>
SSO region [None]: ap-southeast-2
  1. You’re redirected to your default browser.
    1. Sign in and you should see the following

awssso.png

  1. When you return to the CLI, you must choose your account. See the following code example:
There are 2 AWS accounts available to you.
> DeveloperResearch, developer-account-admin@example.com (123456789123)
DeveloperTrading, trading-account-admin@example.com (123456789444)
  1. Choose the account with your CodeCommit repository; e.g. Pick DeveloperResearch

DeveloperResearch, (123456789123)

  1. Next, you see the permissions sets available to you in the account you just picked
Using the account ID 123456789123
There are 2 roles available to you.
> ReadOnly
CodeCommitDeveloperAccess
  1. Enter the following
CLI default client Region [None]: ap-southeast-2<ENTER>
CLI default output format [None]: json<ENTER>
CLI profile name [123456789011_ReadOnly]: DevResearch-profile<ENTER>
  1. Repeat these steps for each AWS account you want to access.

  2. Your ~/user/.aws/config file will look something like the following:-

[profile DevResearch] sso_start_url = https://domain-aws.awsapps.com/start sso_region = ap-southeast-2 sso_account_id = 123456789123 sso_role_name = DeveloperResearch region = ap-southeast-2 output = json

(i) Now that we have CLI and SSO installed and set up, we just need to install the recently released git-remote-codecommit and start working with our Git repositories!

Installing git-remote-codecommit

Install git-remote-codecommit with the following code:

pip install git-remote-codecommit

Clone the code from one of your repositories. For this use case, my CodeCommit repository is named aws-foo-repo.

git clone codecommit://DevResearch@aws-foo-repo aws-foo-repo
Cloning into 'aws-foo-repo'...
remote: Counting objects: 4597, done.
Receiving objects: 100% (4597/4597), 19.84 MiB | 2.61 MiB/s, done.
Resolving deltas: 100% (2910/2910), done.

You can also now perform CLI using --profile DevResearch; e.g.

aws s3 ls --profile DevResearch

You can also integrate into VisualStudio Code