Skip to content

SSH Credentials for AWS CodeCommit

Authentication Options for AWS CodeCommit

AWS Code Commit supports three types of credentials:

  • Git credentials, an IAM-generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS.
  • SSH keys, a locally generated public-private key pair that you can associate with your IAM user to communicate with CodeCommit repositories over SSH.
  • AWS access keys, which you can use with the credential helper included with the AWS CLI to communicate with CodeCommit repositories over HTTPS.

My preference is to use SSH keys, mostly because it allows me to use the same credential across different Git hosting services (GitLab, GitHub, BitBucket, CodeCommit, etc.).

You can find instructions for setting up the SSH credentials here, here, and here. I don't see any substantial difference between them  and can't explain why there are three sets of instructions. The problem with all of them is that they assume you are only connecting to a single instance of CodeCommit within a single AWS account.

In my profession, I work with many different clients across many different accounts. I need a way to provide different credentials across those accounts. The instructions below provide solutions for anyone with similar requirements.

A full discussion of whether one should use a single SSH key or maintain multiple keys is outside the scope of this article. The short version is: There may be good reasons to maintain multiple keys, but in most cases it provides no benefit. A single shared key that is encrypted with a strong passphrase is sufficient for most situations.

Single SSH Key for Multiple AWS Accounts

To use a single key for multiple AWS accounts, all we have to do is modify the connection string to the repository. So, if the SSH URL provided by CodeCommit looks like this:


We simply need to modify it to the username@hosname format, as follows:

Note the changes:

  1. Drop the 'ssh://' from the front of the connection string and replace it with the AWS Key ID for that account and the '@' sign.
  2. Add a colon (':') after the host name

This is all that needs to be done if your default SSH key is to be used for all AWS accounts.

Multiple SSH Keys for Multiple AWS Accounts

If you need a different SSH key for different AWS accounts, you'll have to modify your SSH config file (~/.ssh/config). In this file, we can define the connection details for multiple virtual hosts.

IdentityFile ~/.ssh/id_rsa_aviato
IdentityFile ~/.ssh/id_rsa_piedpiper

The key to understanding this approach is to know that the string after "Host" can be any unique value and does not have to be a real host name. Each "virtual" host then maps to the connection information, which includes a username, key file, and a real host name. The virtual host name can then be used in your Git remote configuration.

We just replace the canonical host name (something like in the repository URL with our virtual host name:

git remote set-url origin ssh://

Per-Repository SSH Config

This can also be done on a per-repository basis using a custom SSH command in the Git configuration. In this case, we need to modify the connection string to use the username@hostname format, rather than a URL. The username is your SSH Key ID from IAM.

git config core.sshCommand "ssh -i ~/.ssh/id_rsa_piedpiper -F /dev/null"

The downside of this approach is it limits you to a single SSH remote repository.