running git clone against AWS CodeCommits gets me a 403 error

Question

My local laptop is a Mac.

1. The ssh key is configured properly. This is the content of ~/.ssh/config

   Host barthea Hostname git-codecommit.us-east

Answer 1

After running below commands, I had to add the below mentioned policy to my IAM user to solve this problem. refrence

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:*"
            ],
            "Resource": "*"
        }
    ]
}

Answer 2

For me the root cause of getting the error was that no matter which version of git I was using on OSX, GIT was always picking up the credential.helper config of using osxkeychain from the file:

/Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig

Getting rid of this solved the problem for me and has not broken anything.

Answer 3

fatal: unable to access 'https://git-codecommit.yourregion.amazonaws.com/v1/yourrepositoryname/': The requested URL returned error: 403

It occurs due to below regions

1. Make sure your user has codecommitfullaccess policy attached.
2. make sure your default region in local aws cli configuration and region in which repository created are same. If not reset the default region in aws cli command as below

aws configure

3. make sure if repository present there.

Answer 4

This helpful text is found on the AWS documentation for codecommit and Windows integration

If your installation of Git for Windows included the Git Credential Manager utility, you will see 403 errors or prompts to provide credentials into the Credential Manager utility after the first few connection attempts. The most reliable way to solve this problem is to uninstall and then reinstall Git for Windows without the option for the Git Credential Manager utility, as it is not compatible with AWS CodeCommit.

If you want to keep the Git Credential Manager utility, you must perform additional configuration steps to also use AWS CodeCommit, including manually modifying the .gitconfig file to specify the use of the credential helper for AWS CodeCommit when connecting to AWS CodeCommit.

Remove any stored credentials from the Credential Manager utility (you can find this utility in Control Panel).

Once you have removed any stored credentials, add the following to your .gitconfig file, save it, and then try connecting again from a new command prompt window:

[credential "https://git-codecommit.us-east-1.amazonaws.com"]
    helper = !aws codecommit credential-helper $@
    UseHttpPath = true

Additionally, you might have to re-configure your git config settings by specifying --system instead of --global or --local before all connections work as expected.

This last part applied to my situation, though when I ran git config --system it did not function as expected but appended aws configure before the aws codecommit command.

So I had to run this in git to find the location of the config file for the system.

git config --list --show-origin

I then added the suggested section from AWS to both my c:/users/username/.gitconfig and my c:/ProgramData/Git/config files.

After that git push started working- even though I get the bogus error in front of my response of

"git: 'credential-aws' is not a git command. See 'git --help'."

Answer 5

You need to be sure that your AWS credentials not only have permission to access CodeCommit, but also that there are no blanket deny policies attached. In our organization we require MFA on all console accounts and this does cause programmatic access to have issues.

A good solution (if this is your issue) would be to create another IAM user without console access with the codecommit policy attached directly (in our case the MFA blanket deny is from the IAM group the user is a part of).

Clarification: This answer is for when you are using IAM credentials and the CodeCommit Git extension (rather than IAM Git credentials), although I suspect it is true in that case as well.

Answer 6

I solved it.

The 403 error message is a specifically Git error message. I added the two AWS-specified helper commands:

git config --global credential.helper '!aws --profile bruce666 codecommit credential-helper $@'
git config --global credentials.helper UseHttpPath=true

and that took care of the issue.

The .git/config file in your local directory (before you clone the Codecommit repo that you had just created should look like this:

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = false
[credential]
    helper = !aws --profile bruce666 codecommit credential-helper $@
    UseHttpPath = true
[remote "origin"]
    url = https://git-codecommit.us-east-1.amazonaws.com/v1/repos/barthea
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

As specified in the .git/config file, you are cloning using https not ssh. I must not have used the default version of git that came with OSX because I did not run into any Toolchain issue.