Table of Contents
- Introduction
- What is Federated Multi-Account Access?
- Approach
- Step-by-Step Implementation
- Troubleshooting Common Issues
- Conclusion
Introduction
AWS CodeCommit is a fully managed source control service that makes it easy for teams to collaborate on code in private Git repositories. While it offers a robust solution for code management, it’s essential to prioritize security. Traditional methods of accessing CodeCommit often involve access keys, which can pose security risks if compromised.
A more secure and efficient approach is to leverage federated multi-account access. This method allows you to grant access to various CodeCommit repositories without sharing access keys. Using IAM roles, you can tightly control permissions and ensure that only authorized users can access specific resources.
What is Federated Multi-Account Access?
Federated access is a security mechanism that enables users to access resources in one account by assuming a role in another account. In the context of AWS CodeCommit, this means that users can assume an IAM role to access specific repositories without requiring direct access to the account where the repositories are stored.
Approach
AWS SSO
In this solution, user access is controlled through federated login via AWS SSO. You can grant this access using AWS native authentication, which eliminates the need for Git credential helpers, SSH, and GPG keys. Additionally, it allows the administrator to control access by adding or removing the user’s IAM role.
The following diagram illustrates how you can access CodeCommit across multiple accounts using AWS SSO and git-remote-codecommit.
Step-by-Step Implementation
Step 1: Create an AWS Named Profile
Start by configuring the AWS CLI to use AWS Single Sign-On. Follow the steps in the AWS documentation on configuring AWS CLI with SSO.
After completing the setup, your named profile in ~/.aws/config will look like this:
[profile dev-team-profile]
sso_start_url = https://example-sso.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = Developer
region = us-east-1
output = jsonIn this example:
- sso_start_url: Your AWS SSO portal URL
- sso_region: The region of your SSO instance
- sso_account_id: Your AWS account ID
- sso_role_name: The role you assume when logging in
- region: Default AWS region for the profile
- output: Format for command output
Step 2: Sign in to AWS
Once the named profile is set up, log in using the AWS CLI:
aws sso login --profile dev-team-profileThis will:
- Open your default web browser
- Direct you to the AWS SSO login page
- Prompt you to complete the login process
Example output:
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.
Successfully logged into Start URL: https://example-sso.awsapps.com/startStep 3: Install git-remote-codecommit
To interact with AWS CodeCommit repositories, install the git-remote-codecommit package. Run:
python -m pip install git-remote-codecommitIf you encounter permission issues, use sudo:
sudo pip install git-remote-codecommitThis package enables seamless interaction with CodeCommit repositories via Git.
Step 4: Clone a Repository
You can now clone repositories from CodeCommit using your AWS named profile.
Example 1: Clone a Repository
Assume you have a repository named ProjectAlpha. Run the following:
git clone codecommit://dev-team-profile@ProjectAlpha local-project-alpha- Replace
dev-team-profilewith your AWS named profile - Replace
ProjectAlphawith your repository’s name - Replace
local-project-alphawith the desired folder name for the cloned repository
Example 2: Clone Another Repository
Suppose another profile, test-team-profile, has access to a repository named ProjectBeta.
Switch profiles and clone:
git clone codecommit://test-team-profile@ProjectBeta local-project-betaThis flexibility allows you to manage multiple repositories across accounts efficiently.
Step 5: Work with Your Repositories
After cloning, navigate to the repository folder and start working with your code:
cd local-project-alpha
git statusMake changes, commit updates, and push code back to the repository.
Troubleshooting Common Issues
Issue 1: 403 Forbidden Error When Cloning
If you encounter a 403 Forbidden error when trying to clone from AWS CodeCommit, this is typically an authentication or authorization issue.
Common Causes:
- Missing or incorrect Git credentials for CodeCommit
- No IAM permissions to access the repository
- Using the wrong credential helper (HTTPS vs SSH)
- Incorrect AWS profile configuration
Solution Steps:
1. Verify IAM Permissions
Ensure your IAM user/role has the necessary CodeCommit permissions:
AWSCodeCommitPowerUser(or at minimumAWSCodeCommitReadOnly)- Or specific permissions:
codecommit:GitPull,codecommit:GitPush
2. Check Your AWS Profile
# Verify you're using the correct profile
aws sts get-caller-identity --profile your-profile-name
# Check if the profile has correct credentials
aws configure list --profile your-profile-name3. Verify Repository Access
# Check if you can list repositories
aws codecommit list-repositories --profile your-profile-name
# Check specific repository access
aws codecommit get-repository --repository-name your-repo-name --profile your-profile-nameIf the get-repository command succeeds, your IAM permissions are correct.
4. Configure Git Credential Helper
# Set up the AWS credential helper for CodeCommit
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
# Or for specific profile
git config --global credential.helper '!aws --profile your-profile-name codecommit credential-helper $@'5. Alternative: Use HTTPS URL Directly
If the codecommit:// protocol doesn’t work, try using the HTTPS URL:
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/your-repo-name6. Windows-Specific Fix
For Windows users, check Windows Credential Manager for cached credentials:
- Open Credential Manager → Windows Credentials
- Remove any old
git:https://git-codecommitentries - Try cloning again
7. Generate HTTPS Git Credentials (Alternative Method)
If the above methods don’t work:
- Go to IAM Console → Your user → Security credentials
- Scroll to HTTPS Git credentials for AWS CodeCommit
- Click Generate credentials
- Save the username and password
- Clone – Git will prompt for these credentials
Issue 2: “Destination path already exists” Error
If you see this error:
fatal: destination path 'your-repo-name' already exists and is not an empty directory.Solution:
Either delete the existing directory or clone to a different location:
# Delete existing directory
rm -rf your-repo-name
# Or clone to a different location
git clone codecommit://your-profile@your-repo-name new-folder-nameIssue 3: git-remote-codecommit Not Recognized
If Git doesn’t recognize the codecommit:// protocol:
Solution:
Ensure git-remote-codecommit is installed and accessible:
# Verify installation
pip show git-remote-codecommit
# Reinstall if necessary
pip install --upgrade git-remote-codecommitConclusion
By implementing federated multi-account access, you can significantly enhance the security of your AWS CodeCommit repositories. By following best practices and leveraging IAM roles, you can grant controlled access to your code without compromising security.
The troubleshooting section ensures that you can quickly resolve common issues and maintain smooth access to your repositories across multiple AWS accounts.
Last updated on January 5, 2026
About the Author
This blog post was written by Afzal Malik, an AI/ML Engineer with over 6 years of experience in IT, specializing in integrating AI systems and building intelligent chat agents. He is passionate about using data and AI to solve complex business problems. His expertise includes PySpark, Pandas, AWS Glue, AWS Data Wrangler, and AI/ML technologies. He holds certifications as an AWS Solutions Architect, AWS Data Engineer, and AWS AI/ML Foundation certified professional. Currently working on cutting-edge AI system integrations and developing conversational AI agents for enterprise applications.
