Access to AWS CodeCommit by federated users

8
votes

I have implemented identity federation for an AWS account to enable devs to use AWS services via corporate single-sign on/SAML.

All the initial reading I've done regarding AWS CodeCommit seems to require either an SSH key attached to a specific IAM user to enable that user to gain access to CodeCommit via SSH, or an Access Key ID & Secret Key combo for HTTPS access.

I can't see a way to enable a federated user (i.e. a user who can log in to AWS via an assumed role rather than as a specific IAM user) to access a CodeCommit repo. Can anybody help me? Am I missing something obvious?

The CodeCommit pricing talks about a federated user counting as an active user for pricing purposes which implies that it's possible.

2
amazon-web-servicesamazon-iamaws-codecommit

2 Answers

8
votes

AWS CodeCommit over HTTPS can use any credentials from the AWS CLI, including assumed role credentials. For example, you could have the following in your AWS CLI config (example taken from here):

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default

You would configure git to use that profile for CodeCommit repositories, and the role will be assumed for you when you push or pull a CodeCommit repo.

git config --global credential.helper '!aws --profile marketingadmin codecommit credential-helper $@'

For SAML, there's more setup to get the AWS CLI to be able to assume a role with SAML. See the AWS blog posts here and here for instructions. After following those instructions and running ./samlapi.py or ./samlapi_formauth.py, you would configure git to use the "saml" profile for CodeCommit repositories:

git config --global credential.helper '!aws --profile saml codecommit credential-helper $@'
3
votes

For OSX

  1. Install git and AWS cli

  2. Configure AWS cli credentials:

    aws configure

  3. Setup the my-profile profile that contains a role to be assumed by modifying your ~/.aws/credentials file. Note that an admin should create this role in the AWS account that owns the CodeCommit repos and the role should put your account as a trustee and have enough CodeCommit permissions

    [my-profile]
role_arn = ARN_OF_THE_ROLE_TO_BE_ASSUMED
source_profile = default

  4. Double check your region config in ~/.aws/config :

    [default]
region = us-east-1

Configure git to use AWS CLI profile during clone/push/pull/etc... operations. Note the use of my-profile as the profile name to use which in turn is assuming a role as we already discuss

 git config --global credential.helper '!aws --profile "my-profile" codecommit credential-helper $@'
 git config --global credential.UseHttpPath true

You should be able to perform git operations against CodeCommit repos belonging to the AWS parent account using http endpoints