Connecting to a CodeCommit repository with AWS SSO

The following steps are specifically aimed at cloning a [[AWS CodeCommit|CodeCommit]] repo which is hosted in an AWS account for which the developer has [[AWS IAM Identity Center]] access. The steps have been tested on macOS and assume you connect to Git using the terminal and not a GUI tool. 1. Install the [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) (which has SSO support) 2. Run `aws configure sso` to configure the CLI for your project's SSO (see [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html)). This should create a named profile specifically for the `infra` account in your `~/.aws/config` file where the CodeCommit repo is hosted. For example, it will look something like this: ``` [profile myproject_infra] sso_start_url = <https://myproject.awsapps.com/start> sso_region = us-east-1 sso_account_id = 123456789012 sso_role_name = AdministratorAccess region = us-east-1 ``` 1. Follow the steps [here](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html) to install the `git-remote-codecommit` Git extension. This will be used to authenticate requests to the repo 2. In your terminal, run `export AWS_PROFILE=myproject_infra` (or whatever the name is of your project profile for the infra account) 3. Run `aws sso login` and go through the browser auth process it triggers to login to your SSO session for this profile. 4. Run the `git clone` command using the `codecommit://` scheme and with your AWS_PROFILE embedded into the URL, e.g. `git clone codecommit::us-east-1://myproject_infra@myproject-server` (where `myproject-server` should be replaced with the name of your CodeCommit repo). By embedding the profile into the URL, this means that you don't need to switch AWS_PROFILEs between the dev and infra accounts in the middle of your development workflow. **Important**: Do not use the `AWS_*` environment variables from the AWS SSO console start page in order to connect to the AWS account. While this will initially work ( clone and pushes will succeed), once the temporary credentials expire after an hour or so, subsequent fetch or push requests will fail with 401 error and crucially, updating the AWS* env variables with new credentials has no effect as macOS seems to have cached them somewhere (none of the [troubleshooting suggestions](https://docs.aws.amazon.com/codecommit/latest/userguide/troubleshooting.html) worked for me here). The only resolution to fix this was to reboot my machine. By using the `aws sso` CLI instead, I avoided this issue. --- ## References - [https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-connect.html](https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-connect.html)