« Back to overview

How to give an IAM user permission to push to a CodeCommit repository locally with ssh

You can use CodeCommit repositories to trigger code pipelines. So you need a user to be able to push to a branch in a CodeCommit repository.

Here is how to setup permissions.


- an existing code commit repository
- an existing IAM user
- an SSH key in posession of the IAM user (we need the public key). We need the public key, and it must be an RSA key (ed25519 is not yet supported by AWS at the time of writing).

If the user doesn't have an ssh key, it can be generated by ssh-keygen -t rsa -b 4096 (make sure it's password protected, and its best specific for this purpose).

Set up the IAM user's keys and get a CodeCommit KEY ID

Go the the IAM user, and at 'security credentials' upload the public key of the user in the section 'SSH keys for AWS CodeCommit'.

You'll get an SSH KEY ID, copy and store it somewhere, you'll need it later.

Set up an IAM user group that can push to CodeCommit

If your user doesn't already have rights at AWS to push to CodeCommit -

We're going to set up an IAM group 'LeadDevelopers' or 'Deployers' that can push to codecommit (and trigger a deployment in code pipeline).
IAM Groups are groups for 'real' human users (as opposed to machines).

Go to IAM, create the group, and add the policy

Then, add the IAM user to this group.

Modify the ssh config at the user's machine

No, we're gonna add a host to the ssh config (so you can access codecommit with different keys without conflict if you have multiple accounts).
Below, substitute the placeholders {PLACEHOLDER} with the correct information.

# iam user `{IAMUSERNAME}` at `{ACCOUNTNAME}`
Host codecommit-{ACCOUNTNAME}
 Hostname git-codecommit.{REGION}.amazonaws.com
 IdentityFile ~/.ssh/{KEYNAME}


# iam user `itsme` at `myaws`
Host codecommit-myaws
 Hostname git-codecommit.eu-west-1.amazonaws.com
 IdentityFile ~/.ssh/id_myaws_rsa

Add the snippet to ~/.ssh/config, you can then access AWS CodeCommit with:



git clone ssh://codecommit-myaws/v1/repos/myrepository

Add your repository as a remote to an existing repository

No we're adding a new remote to an existing repository, so you can push to the codecommit repository.

git remote add aws-codecommit ssh://codecommit-{ACCOUNTNAME}/v1/repos/{REPOSITORY_NAME}


git remote add aws-codecommit ssh://codecommit-myaws/v1/repos/myrepository

You can now push a local branch to aws codecommit with:

git push aws-codecommit master

(I usually set up a release branch named production and staging, or aws-production - aws-staging)