aws-codecommit

Display help

$ aws codecommit help

$ aws codecommit [command] help

(This command is primarily invoked by Git; users configure it via git config.)
git config --global credential.helper '!aws codecommit credential-helper $@'

(When Git invokes the helper, it typically uses one of the following operations, supplying details via standard input:)
aws-codecommit get
aws-codecommit store
aws-codecommit erase

get
    Instructs the helper to retrieve credentials. Git sends details (e.g., protocol, host, path) via standard input, and the helper outputs a username and password (an IAM token) if successful.

store
    Instructs the helper to store credentials. For CodeCommit, this operation usually doesn't 'store' anything persistently but confirms successful credential generation.

erase
    Instructs the helper to erase credentials. For CodeCommit, this typically clears any cached temporary credentials.

The aws-codecommit command, typically referring to the Git credential helper functionality provided by the AWS Command Line Interface (CLI), enables seamless and secure authentication with AWS CodeCommit repositories. Instead of manually handling Git usernames and passwords or SSH keys, this helper automates the authentication process by transparently leveraging AWS credentials configured for the AWS CLI (e.g., IAM user access keys, temporary security credentials from roles, or SSO).

When Git requires authentication for an HTTPS operation against an AWS CodeCommit repository, it invokes this helper. The helper then exchanges the configured AWS credentials for a temporary Git username and password (which is an AWS IAM temporary token). This token is valid for a limited time and is automatically refreshed as needed, significantly streamlining the developer workflow and enhancing security by avoiding long-lived static credentials in Git configurations.

It's important to note that aws-codecommit is not a standalone Git client but an intermediary invoked by Git behind the scenes, ensuring that standard Git commands like git clone, git push, and git pull work effortlessly with CodeCommit.

This helper requires the AWS Command Line Interface (AWS CLI) to be installed and configured with valid AWS credentials. It primarily supports HTTPS Git connections; SSH connections to CodeCommit use SSH keys directly. Ensure your AWS CLI configuration has permissions to access CodeCommit repositories (e.g., codecommit:GitPull, codecommit:GitPush).

To use the aws-codecommit helper, you typically configure Git globally. The command git config --global credential.helper '!aws codecommit credential-helper $@' tells Git to use the AWS CLI's CodeCommit credential helper for all repositories. Alternatively, you can configure it per-repository by omitting the --global flag.

When Git needs credentials, it calls the configured helper (aws codecommit credential-helper). This helper then uses the AWS CLI to communicate with AWS IAM to request temporary credentials (an IAM user ARN as username and a unique password/token). This token is then provided back to Git for authentication over HTTPS. This process ensures that sensitive AWS credentials are not stored directly in Git's credential store.

The need for simplified Git authentication with AWS CodeCommit led to the development of this credential helper by AWS. It was introduced to address the complexities of managing standard Git credentials or SSH keys for cloud-hosted repositories, aligning with the AWS CLI's philosophy of making AWS services easily accessible from the command line. Its evolution tracks closely with updates to the AWS CLI itself, enhancing security and usability over time.

git(1), aws(1), git-credential(1), git-remote-helpers(7)