Reputation: 79467
Git clone works in AWS CodeCommit but pushing fails with 403
I can clone my CodeCommit repository successfully, but when I try to push to it, I get 403. Fetching and pulling works, however. It's as if I have read-only access.
I have setup my .gitconfig to use AWS CLI for credential manager:
[credential]
helper = !aws --profile builder codecommit credential-helper $@
UseHttpPath = true
The problem is that the error doesn't tell me why pushing is failing:
$ git push origin test-branch
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-example-repo/': The requested URL returned error: 403
Most questions on the internet about his error are when cloning fails, but cloning works for me. I found this question where cloning succeeds and pushing fails, but his error is different - aws codecommit cannot push.
Edit:: After looking at my CodeCommit policy, it has Full: Read Limited: List, Write:
There is also a ResourceSpecifier = foo-*, but that holds for GitPull permission and pulling works, so I doubt it's the resource specifier.
Upvotes: 4
Views: 7241
Answers (3)
Reputation: 2027
For MacOS: Delete the code-commit internet passwords in Keychain and try again. Also:
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
Upvotes: 4
Reputation: 79467
@Tom's answer sent me in the right direction. To expand on it, the reason was that my user had a write permissions only for repositories whose name matches a certain pattern containing wildcards.
This pattern is from the policy JSON, and looks like this:
"Resource": "arn:aws:codecommit:*:*:bar*"
This pattern would give me write access to any repository whose names starts with bar, so I could push to a repo named bar or bar2, but not to a repo named foo-bar because it doesn't start with bar even though it contains it.
Upvotes: 0
Reputation: 3950
I imagine you're right about the read-only permissions. As the docs state, you need the codecommit:GitPush permission in your IAM policy to be allowed to push commits from your local repository to the CodeCommit repository.
Being able to pull the repository means your credentials are set up correctly, if they weren't you wouldn't be able to git pull / git fetch at all.
Upvotes: 1
Related Questions
- AWS Codecommit - fatal: unable to access : The requested URL returned error: 403
- running git clone against AWS CodeCommits gets me a 403 error
- aws codecommit not giving credentials prompt
- Error 403 when cloning an AWS CodeCommit repository from EC2 instance
- 403 Error while using AWS CodeCommit after being asked Username & Password (MacOS)
- AWS: Can't clone repo Codecommit, The requested URL returned error: 403
- AWS CodeCommit Unable to create branch using git push
- AWS CodeCommit - Can clone/pull but can't push (SSH)
- aws codecommit cannot push
- git aws.push returned error 403