running git clone against AWS CodeCommits gets me a 403 error

Question

My local laptop is a Mac.

1. The ssh key is configured properly. This is the content of ~/.ssh/config

Host barthea
Hostname git-codecommit.us-east-1.amazonaws.com
User AVVVVVVVVVVVVVVVVVQ
IdentityFile ~/.ssh/aws-aws.pem

Running ssh barthea gets me

You have successfully authenticated over SSH. You can use Git to interact with AWS CodeCommit. Interactive shells are not supported.Connection to git-codecommit.us-east-1.amazonaws.com closed by remote host.

2. I created an IAM user bruce666 complete with password and access keys, made this user part of the "team" group.Then I created a policy that includes "AWSCodeCommitPowerUsers" and assigned this policy to "team". And finally assigned bruce666 to "team". At this point, bruce666 can access any repo in CodeCommit through the management console.

3. I ran aws config --profile bruce666, fed in his access and secret key, his region and specified the format at json. At this point, I was able to create the rekha repo in CodeCommmit by running aws codecommit get-repository --repository-name rekha --profile bruce666

4. I can create a couple of dummy files, run git init, git add . , git commit -m "1", git add origin https://git-gitcode.amzonaws.com/repos/v1/rekha , git push -u origin master And that operation will be successful.

5. However, when I run git clone ssh://git-gitcode.amazonaws.com/repos/v1/rekha , I get "fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/barthia/': The requested URL returned error: 403" What gives?

Answer 1

I got the same error in Ubuntu for an Android project from code-commit.

This doc helped me - https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-unixes.html

Before Proceeding please make sure your IAM user has codecommitfullaccess policy attached. also, make sure your default region in the local aws cli configuration and the region in which the repository was created are the same. You can reset the region in aws cli with the aws configure command.

Other software to be there in your system are

1. GIT-CLI - git --version
2. AWS-CLI - aws --version or sudo apt install awscli

In AWS configure the auth using this command

git config --global credential.helper '!aws codecommit credential-helper $@'

git config --global credential.UseHttpPath true

This command sets the git auth settings globally in your system. This means for any project in your system at different locations auth will be handled by the AWS Credential Helper. You can verify this in your .gitConfig file in your home directory. This config file is for all the git projects in your system.

If you want to configure the above auth for only one particular project, then remove --global while configuring and run the command inside your project's root directory.

Then, find the .aws folder in your home directory, and look for config and credentials files in there. These are the key files you need to successfully communicate with your CodeCommit Repo.

In my case, even after providing auth credentials while git operations in Android studio, the error was there, I have then filled the credentials file with the aws_access_key_id, aws_secret_access_key, aws_session_token. Which are available your SSO Screen or in your profile. But the session token is valid for only one day, You need to update the creds daily like this.

With AWS Credentials Helper and credentials file, I can now Sync the project and do git operations on my codecommit repo.

Answer 2

System Environment variables (I'm not sure how) were used to pre-specify the Region, access, and secret key. Changing these variables fixes the problem. The region, access, and secret key were all correct in .aws/config and .aws/credentails, but I needed to change the environment variables to make this work.

Answer 3

I also face same 403 error while using git push command in windows. I done all settings mentioned in AWS docs, but non resolved my issue. After i reviewed git credential set via Windows Credential as shown in screen. I found instead of git https credentials, it set access key / secret key (don't know how).

Control Panel\All Control Panel Items\Credential Manager

Click on edit link, update credential with proper git credential generated for AWS User, everything worked fine.

Answer 4

Follow this steps in aws docs Try this command after the steps

git config --system --unset credential.helper

Answer 5

If you are using windows 10, make sure you copy this:

[credential]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true

to these two configuration locations:

1. drive:\Users\UserName\.gitconfig
2. drive:\Program Files\Git\etc\gitconfig

Answer 6

For me the only option that worked was using git clone with the HTTPS (GRC) option which gives a URL that starts with:

git clone codecommit::

Answer 7

Issue (On Ubuntu)

$ git clone https://git-codecommit.ap-southeast-1.amazonaws.com/v1/repos/xx
Cloning into 'xx'...
fatal: unable to access 'https://git-codecommit.ap-southeast-1.amazonaws.com/v1/repos/xx/': The requested URL returned error: 403

Solution:

Step 1:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Check:

cat ~/.gitconfig 
[user]
    email = your-email
    name = your-name
[credential]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true

Step 2:

1. Services > IAM
2. Click on Users (Left panel)
3. Click on your username (main panel)
4. Click on Add permissions
5. Click on Attach existing policies directly
6. On Filter policies, type AWSCodeCommitFullAccess
7. Check the checkbox besides the policy, and click Next: Review
8. Click on Add permissions
   

Result

$ git clone https://git-codecommit.ap-southeast-1.amazonaws.com/v1/repos/xx
Cloning into 'xx'...
remote: Counting objects: 3, done.
Unpacking objects: 100% (3/3), 223 bytes | 223.00 KiB/s, done.

Reference

1. Getting started with Git and AWS CodeCommit

Answer 8

In my case, I had a permission issue.

You need to need to attach the AWSCodeCommitFullAccess policy to your IAM user to give you access to CodeCommit.

Answer 9

Whenever it asks to enter Username and Password while trying to clone or pull the code from AWS, instead of copying the password manually enter it by typing each letter. This resolved my problem.

Answer 10

You need to be sure that your AWS credentials not only have permission to access CodeCommit, but also that there are no blanket deny policies attached. In our organization we require MFA on all console accounts and this does cause programmatic access to have issues.

A good solution (if this is your issue) would be to create another IAM user without console access with the codecommit policy attached directly (in our case the MFA blanket deny is from the IAM group the user is a part of).

Clarification: This answer is for when you are using IAM credentials and the CodeCommit Git extension (rather than IAM Git credentials), although I suspect it is true in that case as well.

Answer 11

Something was wrong with my default aws credentials, I ran aws configure again with no profile, restarted terminal and it worked.

Answer 12

On MAC, if above-mentioned tricks don't work, do the following:

1. Open Keychain Access
2. Search for CodeCommit. You should find this:

3. Select 'git-codecommit....' and press delete
4. Confirm the delete.

Now try again. It should work. You may have to do it again next time as well when you face the error 403.

One of the possible reason for this issue is the keychain password different than login password on your MAC.

Answer 13

After running below commands, I had to add the below mentioned policy to my IAM user to solve this problem. refrence

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:*"
            ],
            "Resource": "*"
        }
    ]
}

Answer 14

fatal: unable to access 'https://git-codecommit.yourregion.amazonaws.com/v1/yourrepositoryname/': The requested URL returned error: 403

It occurs due to below regions

1. Make sure your user has codecommitfullaccess policy attached.
2. make sure your default region in local aws cli configuration and region in which repository created are same. If not reset the default region in aws cli command as below

aws configure

3. make sure if repository present there.

Answer 15

The following solution worked for a handful of devs that use Git Bash on Windows 10.

If you select Windows as your operating system on the "Connect to your repository" tab, the commands are formatted like this:

git config --global credential.helper "!aws codecommit credential-helper $@"
git config --global credential.UseHttpPath true

However, if you use Git Bash, select the "Linux, MacOS, or Unix" option instead. Note the single quote instead of double quote on the first line.

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Best of luck.

Referred: https://forums.aws.amazon.com/thread.jspa?threadID=198356 Posted by: mwhardesty

Answer 16

My case in OSX.

The first step:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credentials.helper UseHttpPath=true

However, verifying git config --list --show-origin

file:/usr/local/etc/gitconfig   credential.https://git-codecommit.eu-west-1.amazonaws.com.helper=!aws codecommit credential-helper $@
file:/usr/local/etc/gitconfig   credential.helper=osxkeychain
file:/Users/mine/.gitconfig  user.name=my-user
file:/Users/mine/.gitconfig  user.email=my@gmail.com
file:/Users/mine/.gitconfig  filter.lfs.clean=git-lfs clean -- %f
file:/Users/mine/.gitconfig  filter.lfs.smudge=git-lfs smudge -- %f
file:/Users/mine/.gitconfig  filter.lfs.process=git-lfs filter-process
file:/Users/mine/.gitconfig  filter.lfs.required=true
file:/Users/mine/.gitconfig  credential.helper=!aws codecommit credential-helper $@
file:/Users/mine/.gitconfig  credential.usehttppath=true

The first line was not present before, and git was using osxkeychain with precedence. Hence, I had to do git config --system ...

cat /usr/local/etc/gitconfig                                             
[credential "https://git-codecommit.eu-west-1.amazonaws.com"]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true
[credential]
    helper = osxkeychain

So the URL was specified in order to fallback in case another credentials are stored.

Update https://docs.aws.amazon.com/codecommit/latest/userguide/troubleshooting-ch.html

For some reason, UseHttpPath = true seems not to be added sometimes. So it can (should) be added under [credential]

Answer 17

For me the root cause of getting the error was that no matter which version of git I was using on OSX, GIT was always picking up the credential.helper config of using osxkeychain from the file:

/Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig

Getting rid of this solved the problem for me and has not broken anything.

Answer 18

This helpful text is found on the AWS documentation for codecommit and Windows integration

If your installation of Git for Windows included the Git Credential Manager utility, you will see 403 errors or prompts to provide credentials into the Credential Manager utility after the first few connection attempts. The most reliable way to solve this problem is to uninstall and then reinstall Git for Windows without the option for the Git Credential Manager utility, as it is not compatible with AWS CodeCommit.

If you want to keep the Git Credential Manager utility, you must perform additional configuration steps to also use AWS CodeCommit, including manually modifying the .gitconfig file to specify the use of the credential helper for AWS CodeCommit when connecting to AWS CodeCommit.

Remove any stored credentials from the Credential Manager utility (you can find this utility in Control Panel).

Once you have removed any stored credentials, add the following to your .gitconfig file, save it, and then try connecting again from a new command prompt window:

[credential "https://git-codecommit.us-east-1.amazonaws.com"]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true

Additionally, you might have to re-configure your git config settings by specifying --system instead of --global or --local before all connections work as expected.

This last part applied to my situation, though when I ran git config --system it did not function as expected but appended aws configure before the aws codecommit command.

So I had to run this in git to find the location of the config file for the system.

git config --list --show-origin

I then added the suggested section from AWS to both my c:/users/username/.gitconfig and my c:/ProgramData/Git/config files.

After that git push started working- even though I get the bogus error in front of my response of

"git: 'credential-aws' is not a git command. See 'git --help'."

Answer 19

I solved it.

The 403 error message is a specifically Git error message. I added the two AWS-specified helper commands:

git config --global credential.helper '!aws --profile bruce666 codecommit credential-helper $@'
git config --global credentials.helper UseHttpPath=true

and that took care of the issue.

The .git/config file in your local directory (before you clone the Codecommit repo that you had just created should look like this:

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = false
[credential]
    helper = !aws --profile bruce666 codecommit credential-helper $@
    UseHttpPath = true
[remote "origin"]
    url = https://git-codecommit.us-east-1.amazonaws.com/v1/repos/barthea
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

As specified in the .git/config file, you are cloning using https not ssh. I must not have used the default version of git that came with OSX because I did not run into any Toolchain issue.