Secure and private Git repository access enables teams. However, using an IAM user with SSH keys authenticating to private Git repository is not recommended. Why?

  1. Long lived key storage violates just-in-time access.
  2. IAM-user driven git SSH key management does not enable CI/CD.

IAM roles and git-remote-codecommit to the rescue!

Our AWS reference implementation:

  1. A private subnet with external connectivity, i.e., NAT’d subnet. No IGW.
  2. Two IAM roles with AWSCodeCommitReadOnly for CI/CD and AWSCodeCommitPowerUser for developers
  3. AWS CodeCommit repository
  4. Jenkins Docker image with git-remote-codecommit

CI/CD setup process:

  1. Configure the GRC HTTPS CodeCommit URLs in Jenkins Dockerfile. CodeCommit:
  2.  Provision AWS infrastructure for Jenkins with the instance profile or EKS role leveraging policy with AWSCodeCommitReadOnly
  3. Run Jenkins pipeline leveraging git clone.
  4. Done!
This process is repeatable for developer access via IAM role with AWSCodeCommitPowerUser policy.