Introduction
AWS CodeCommit is a fully managed source control service that makes it easy for teams to collaborate on code in private Git repositories. While it offers a robust solution for code management, it’s essential to prioritize security. Traditional methods of accessing CodeCommit often involve access keys, which can pose security risks if compromised.
A more secure and efficient approach is to leverage federated multi-account access. This method allows you to grant access to various CodeCommit repositories without sharing access keys. Using IAM roles, you can tightly control permissions and ensure that only authorized users can access specific resources.
What is Federated Multi-Account Access?
Federated access is a security mechanism that enables users to access resources in one account by assuming a role in another account. In the context of AWS CodeCommit, this means that users can assume an IAM role to access specific repositories without requiring direct access to the account where the repositories are stored.
Approach
In this solution, user access is controlled through federated login via AWS SSO. You can grant this access using AWS native authentication, which eliminates the need for Git credential helpers, SSH, and GPG keys. Additionally, it allows the administrator to control access by adding or removing the user’s IAM role.
The following diagram illustrates how you can access CodeCommit across multiple accounts using AWS SSO and git-remote-codecommit.
Step 1: Create an AWS Named Profile
Start by configuring the AWS CLI to use AWS Single Sign-On. Follow the steps in the AWS documentation on configuring AWS CLI with SSO.
After completing the setup, your named profile in ~/.aws/config will look like this:
[profile dev-team-profile]
sso_start_url = https://example-sso.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = Developer
region = us-east-1
output = json
In this example:
sso_start_url: Your AWS SSO portal URL.sso_region: The region of your SSO instance.sso_account_id: Your AWS account ID.sso_role_name: The role you assume when logging in.region: Default AWS region for the profile.output: Format for command output.
Step 2: Sign in to AWS
Once the named profile is set up, log in using the AWS CLI:
aws sso login –profile dev-team-profile
This will:
- Open your default web browser.
- Direct you to the AWS SSO login page.
- Prompt you to complete the login process.
Example output:
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.
Successfully logged into Start URL: https://example-sso.awsapps.com/start
Step 3: Install git-remote-codecommit
To interact with AWS CodeCommit repositories, install the git-remote-codecommit package. Run:
pip install git-remote-codecommit
If you encounter permission issues, use sudo:
sudo pip install git-remote-codecommit
This package enables seamless interaction with CodeCommit repositories via Git.
Step 4: Clone a Repository
You can now clone repositories from CodeCommit using your AWS named profile.
Example 1: Clone a Repository
Assume you have a repository named ProjectAlpha. Run the following:
git clone codecommit://dev-team-profile@ProjectAlpha local-project-alpha
Replace dev-team-profile with your AWS named profile.
Replace ProjectAlpha with your repository’s name.
Replace local-project-alpha with the desired folder name for the cloned repository.
Example 2: Clone Another Repository
Suppose another profile, test-team-profile, has access to a repository named ProjectBeta.
Switch profiles and clone:
git clone codecommit://test-team-profile@ProjectBeta local-project-beta
This flexibility allows you to manage multiple repositories across accounts efficiently.
Step 5: Work with Your Repositories
After cloning, navigate to the repository folder and start working with your code:
cd local-project-alpha
git status
Make changes, commit updates, and push code back to the repository.
By implementing federated multi-account access, you can significantly enhance the security of your AWS CodeCommit repositories. By following best practices and leveraging IAM roles, you can grant controlled access to your code without compromising security.
