Reputation: 10457
Must I create an IAM user in order to use AWS CodeCommit?
To use AWS CodeCommit, I have created an IAM user attached with policy like AWSCodeCommitFullAccess, and I have generated and downloaded both accessKey and code commit credential(username& password).
After I created a repository in CodeCommit, I realized that whenever I want to run some git command, git prompts a message asking me to input user name/password.
Suppose I have a big team to use the code commit, does it mean I have to let everybody know the accessKey and credential(username& password) of the IAM user? is it secure? can't I use IAM role? Using IAM role I can get accessKey although it expires periodically but I guess code commit will be OK with that. But I notice IAM role does not have way to generate code commit credential(username& password) so I do not know how to use it to run git command.
Besides, every time when I run a git command I need to input code commit credential(username& password) which is not convenient. is there any easy way? like cache the credential?
Upvotes: 1
Views: 2555
Answers (2)
Reputation: 171
You don't need to create an IAM User if your Instance profile has CodeCommit permissions. As mentioned in other answer, we can use AWS CLI Credential Helper.
All you need to do to make Code Commit Auth via Instance profile is
Make sure aws cli v2 is installed on the EC2
Install git on the EC2
Configure git to use credential helper
git config --global credential.helper '!aws codecommit credential-helper $@' git config --global credential.UseHttpPath true
You can run git commands from your EC2 to test if the config is working
Upvotes: 2
Reputation: 8890
What you need is the AWS CLI Credential Helper [1]. The credential helper can generate the credentials for git dynamically by getting credentials from AWS SDK i.e. through credential chain which could be Environment variable, ~/.aws/credential file or IAM instance profile etc.
So in this case when you don't want to create an IAM user per user, you just give an EC2 instance profile permission to CodeCommit (AWSCodeCommitFullAccess). Then setup the credential helper on this EC2 instance and when using git client, git will authenticate transparently to the user. Details of setup procedure: [1].
Ref:
[1] Setup Steps for HTTPS Connections to AWS CodeCommit Repositories on Windows with the AWS CLI Credential Helper - https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-windows.html
Upvotes: 2
Related Questions
- aws codecommit not giving credentials prompt
- 403 Error while using AWS CodeCommit after being asked Username & Password (MacOS)
- AWS CodeCommit Error: git: 'credential-aws' is not a git command
- IAM blocks access to AWS CodeCommit repo
- Generate HTTPS Git credentials for AWS CodeCommit: AWS Programmatic access
- Using AWS Codecommit in an organisation
- AWS Code Commit Cross Account IAM Roles
- AWS cross account access to CodeCommit repo with roles only (no static credentials)
- How to authenticate against AWS CodeCommit git repo with IAM access id and secret key?
- aws codecommit cannot push