AWS CodeCommit cross-account respository access not working

Question

I have an AWS IAM user in my account (let's call it originAccount) that has access to another account (targetAccount) and I'm trying to clone a CodeCommit repository that exists in targetAccount using my originAccount credentials on my Windows machine.

I can log in and switch roles to targetAccount just fine, that's how I created the repository in the first place. I have full access to targetAccount except for billing. I do have MFA enabled on my IAM user. I have tried turning this off temporarily but it didn't help. However, with MFA turned off, I can do aws s3 ls successfully without error for targetAccount.

Neither SSH nor HTTPS work. I can clone it with static credentials, as a test, but that isn't acceptable long term. I'm amazed at how difficult this stuff is on AWS...

My user in originAccount has this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::000000000000:role/Administrator"
            ]
        }
    ]
}

The Administrator role has access to everything. targetAccount has this trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/MyUser"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

I tried removing the MFA bit; didn't help. I even disabled MFA on my user account and that didn't help either.

My .aws\credentials file contains these lines:

[default]
aws_access_key_id = [originAccountKey]
aws_secret_access_key = [originAccountSecret]

[targetAccount]
aws_access_key_id = [originAccountKey]
aws_secret_access_key = [originAccountSecret]

I am using the environment variable to set the profile to use e.g.:

set AWS_DEFAULT_PROFILE=targetAccount

My .gitconfig contains:

[credential "https://git-codecommit.us-east-1.amazonaws.com"]
    helper = !'C:\\path\\to\\git-credential-AWSSV4.exe' --profile='targetAccount'
    UseHttpPath = true

Originally that was using the default profile but that didn't work either.

Questions:

1. Is this possible? What am I doing wrong?
2. Can both SSH and HTTPS work for cross-account access? The docs are confusing but it seems to suggest that only HTTPS with the credential helper will work (allegedly).
3. Will this work with multi-factor authentication? If not, can that be turned off only for CodeCommit?

Unfortunately none of the other questions I found had answers that worked for me...

I uninstalled and reinstalled Git for Windows just to be sure the credential manager for that wasn't installed (I couldn't remember), but it still doesn't work, says repository '...' not found. I can clone repositories in originAccount over HTTPS though.

Answer 1

The credential-helper is the only way to authenticate with CodeCommit using temporary session credentials like the ones acquired from AssumeRole. SSH will not work as SSH authentication is done by verifying an uploaded public key, which is not temporary.

I find that the following pattern is an easy one to follow for authentication using AssumeRole. In your .aws\credentials file:

[profile target_account]
role_arn = arn:aws:iam::000000000000:role/Administrator
mfa_serial = arn:aws:iam::000000000000:mfa/MFA_DEVICE
source_profile = origin_account

[profile origin_account]
aws_access_key_id = [originAccountKey]
aws_secret_access_key = [originAccountSecret]

This will allow AWS client tools to get temporary session credentials from target_account by using AssumeRole from the origin_account, effectively assuming the role of Administrator on target_account.

Your .gitconfig should specify the target_account profile.

If you are using msysgit, you should try upgrading to Git for Windows 2.x. The credential-helper will send : as the username and a AWS V4 Signature as the password. Session keys are usually pretty long and in msysgit, curl will truncate the username to 256 characters which will not include the complete session key.

I hope this helps!