Our developers access internally owned git CodeCommit repos across multiple AWS accounts. These AWS accounts are owned by us. It is important to qualify AWS/CodeCommit ownership here. Client owned CodeCommit access best practice is through IAM roles (out of scope for this post).
Scope of this post:
- organizational CodeCommit access spanning two AWS accounts
- concurrent access to repos in both AWS accounts
Solution options:
- Access CodeCommit in both accounts using git-remote-codecommit
- Access CodeCommit in 1st account using SSH & the 2nd using git-remote-codecommit.
A “no-no-option” worth noting: accessing CodeCommit in both AWS accounts using SSH.
Our reference implementation addresses both viable solution options.
- Generate AWS access key and secret access key for an IAM entity having AWSCodeCommitFullAccess
- Create AWS cli profile(s)
aws --profile account1-gov configure
...
Default region name [None]: us-gov-west-1
Default output format [None]: json - Install git-remote-codecommit
pip3 install git-remote-codecommit - Clone repos. Enjoy!
git clone codecommit://account1-gov@repo-name repo-name-gc
Important
Do not use GRC HTTP clone URL without profile (e.g., account1-gov) when concurrent access to account2 with SSH is in place.
