« Back to overview
How to give an IAM user permission to push to a CodeCommit repository locally with ssh
You can use CodeCommit repositories to trigger code pipelines. So you need a user to be able to push to a branch in a CodeCommit repository.
Here is how to setup permissions.
Prerequisites:
- an existing code commit repository
- an existing IAM user
- an SSH key in posession of the IAM user (we need the public key). We need the public key, and it must be an RSA key (ed25519 is not yet supported by AWS at the time of writing).
If the user doesn't have an ssh key, it can be generated by ssh-keygen -t rsa -b 4096 (make sure it's password protected, and its best specific for this purpose).
Set up the IAM user's keys and get a CodeCommit KEY ID
Go the the IAM user, and at 'security credentials' upload the public key of the user in the section 'SSH keys for AWS CodeCommit'.
You'll get an SSH KEY ID, copy and store it somewhere, you'll need it later.
Set up an IAM user group that can push to CodeCommit
If your user doesn't already have rights at AWS to push to CodeCommit -
We're going to set up an IAM group 'LeadDevelopers' or 'Deployers' that can push to codecommit (and trigger a deployment in code pipeline).
IAM Groups are groups for 'real' human users (as opposed to machines).
Go to IAM, create the group, and add the policy
AWSCodeCommitPowerUser
Then, add the IAM user to this group.
Modify the ssh config at the user's machine
No, we're gonna add a host to the ssh config (so you can access codecommit with different keys without conflict if you have multiple accounts).
Below, substitute the placeholders {PLACEHOLDER} with the correct information.
# iam user `{IAMUSERNAME}` at `{ACCOUNTNAME}`
Host codecommit-{ACCOUNTNAME}
Hostname git-codecommit.{REGION}.amazonaws.com
User {CODECOMMIT_KEY_ID}
IdentityFile ~/.ssh/{KEYNAME}
I.e.
# iam user `itsme` at `myaws`
Host codecommit-myaws
Hostname git-codecommit.eu-west-1.amazonaws.com
User AAA333CCCDDDEEE
IdentityFile ~/.ssh/id_myaws_rsa
Add the snippet to ~/.ssh/config, you can then access AWS CodeCommit with:
ssh://codecommit-{ACCOUNTNAME}/v1/repos/{REPOSITORY_NAME}
i.e.
git clone ssh://codecommit-myaws/v1/repos/myrepository
Add your repository as a remote to an existing repository
No we're adding a new remote to an existing repository, so you can push to the codecommit repository.
git remote add aws-codecommit ssh://codecommit-{ACCOUNTNAME}/v1/repos/{REPOSITORY_NAME}
i.e.
git remote add aws-codecommit ssh://codecommit-myaws/v1/repos/myrepository
You can now push a local branch to aws codecommit with:
git push aws-codecommit master
(I usually set up a release branch named production and staging, or aws-production - aws-staging)
Also see:
- Amazon EFS as a file system for application servers
- AWS EC2 on demand and spot prices compared
- Force files and subdirectories to have a specific owner and group
- PHP script to log server load (top, ps aux) into files for a period of time
- Protect S3 buckets from deletion
- AWS Cheatsheet
- Docker cheatsheet
- Docker memcached-alpine on AWS Docker/fargate
- Bash script to login into a docker container by it's name
- Backup script for lightsail instance to S3