AWS CodeCommit using SSO

Using this method, you can quickly and easily switch between GIT repositories owned by different groups or even managed in separate AWS accounts.

• User access is controlled with federated login via AWS SSO
• You can grant access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys.
• Allows the administrator to control access by adding or removing the user’s IAM role access

Overview

SRC: https://aws.amazon.com/blogs/devops/federated-multi-account-access-for-aws-codecommit/

(!) This guide assumes you already have SSO access and permissions setup

Instructions

There are prerequisites to be installed on the local machine.

Prerequisites

• Python 3.6 or higher installed on the developer’s local machine.
  • See the Python website.
  • For Mac OSX see the following GitHub repo.
• Git installed on your local machine.
  • To download Git, see Git Downloads.
• PIP version 9.0.3 or higher installed on your local machine.
  • For instructions, see Installation on the PIP website.
• AWS CLI - AWS Command Line Interface - AWS CLI v2 can easily be installed on most standard platforms:
• MacOS pkg installer
• Linux executable installer
• Windows MSI installer
• You can find more detailed installation instructions here
• Alternatively,
  • you can use PIP - awscli · PyPI - pip install awscli
  • or use homebrew (OSX only) - brew install awscli

Enabling AWS SSO login

Enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.

1. Run the following command from the AWS CLI.

aws configure sso
SSO start URL [None]: <https://mydomain-aws.awsapps.com/start>
SSO region [None]: ap-southeast-2

1. You’re redirected to your default browser.
   1. Sign in and you should see the following

1. When you return to the CLI, you must choose your account. See the following code example:

There are 2 AWS accounts available to you.
> DeveloperResearch, developer-account-admin@example.com (123456789123)
DeveloperTrading, trading-account-admin@example.com (123456789444)

1. Choose the account with your CodeCommit repository; e.g. Pick DeveloperResearch

DeveloperResearch, developer-account-admin@example.com (123456789123)

1. Next, you see the permissions sets available to you in the account you just picked

Using the account ID 123456789123
There are 2 roles available to you.
> ReadOnly
CodeCommitDeveloperAccess

1. Enter the following

CLI default client Region [None]: ap-southeast-2<ENTER>
CLI default output format [None]: json<ENTER>
CLI profile name [123456789011_ReadOnly]: DevResearch-profile<ENTER>

1. Repeat these steps for each AWS account you want to access.

2. Your ~/user/.aws/config file will look something like the following:-

[profile DevResearch] sso_start_url = https://domain-aws.awsapps.com/start sso_region = ap-southeast-2 sso_account_id = 123456789123 sso_role_name = DeveloperResearch region = ap-southeast-2 output = json

(i) Now that we have CLI and SSO installed and set up, we just need to install the recently released git-remote-codecommit and start working with our Git repositories!

Installing git-remote-codecommit

Install git-remote-codecommit with the following code:

pip install git-remote-codecommit

Clone the code from one of your repositories. For this use case, my CodeCommit repository is named aws-foo-repo.

git clone codecommit://DevResearch@aws-foo-repo aws-foo-repo
Cloning into 'aws-foo-repo'...
remote: Counting objects: 4597, done.
Receiving objects: 100% (4597/4597), 19.84 MiB | 2.61 MiB/s, done.
Resolving deltas: 100% (2910/2910), done.

You can also now perform CLI using --profile DevResearch; e.g.

aws s3 ls --profile DevResearch

You can also integrate into VisualStudio Code