Many years ago (about 20 now!), I proclaimed that IT simply had to adopt a more rigorous...
SSH Credentials for AWS CodeCommit
Authentication Options for AWS CodeCommit
AWS Code Commit supports three types of credentials:
- Git credentials, an IAM-generated user name and password pair you can use to communicate with CodeCommit repositories over HTTPS.
- SSH keys, a locally generated public-private key pair that you can associate with your IAM user to communicate with CodeCommit repositories over SSH.
- AWS access keys, which you can use with the credential helper included with the AWS CLI to communicate with CodeCommit repositories over HTTPS.
My preference is to use SSH keys, mostly because it allows me to use the same credential across different Git hosting services (GitLab, GitHub, BitBucket, CodeCommit, etc.).
You can find instructions for setting up the SSH credentials here, here, and here. I don't see any substantial difference between them and can't explain why there are three sets of instructions. The problem with all of them is that they assume you are only connecting to a single instance of CodeCommit within a single AWS account.
In my profession, I work with many different clients across many different accounts. I need a way to provide different credentials across those accounts. The instructions below provide solutions for anyone with similar requirements.
A full discussion of whether one should use a single SSH key or maintain multiple keys is outside the scope of this article. The short version is: There may be good reasons to maintain multiple keys, but in most cases it provides no benefit. A single shared key that is encrypted with a strong passphrase is sufficient for most situations.
Single SSH Key for Multiple AWS Accounts
To use a single key for multiple AWS accounts, all we have to do is modify the connection string to the repository. So, if the SSH URL provided by CodeCommit looks like this:
ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/pipernet
We simply need to modify it to the username@hosname format, as follows:
APKAEIB4ERJR3EXAMPLE@git-codecommit.us-east-1.amazonaws.com:/v1/repos/pipernetNote the changes:
- Drop the 'ssh://' from the front of the connection string and replace it with the AWS Key ID for that account and the '@' sign.
- Add a colon (':') after the host name
This is all that needs to be done if your default SSH key is to be used for all AWS accounts.
Multiple SSH Keys for Multiple AWS Accounts
If you need a different SSH key for different AWS accounts, you'll have to modify your SSH config file (~/.ssh/config). In this file, we can define the connection details for multiple virtual hosts.
Host aviato.amazonaws.com
HostName git-codecommit.us-east-1.amazonaws.com
IdentityFile ~/.ssh/id_rsa_aviato
UserAPKAEIB2ERJR2EXAMPLE
Host piedpiper.amazonaws.com
HostName git-codecommit.us-east-1.amazonaws.com
IdentityFile ~/.ssh/id_rsa_piedpiper
UserAPKAEIB4ERJR3EXAMPLE
The key to understanding this approach is to know that the string after "Host" can be any unique value and does not have to be a real host name. Each "virtual" host then maps to the connection information, which includes a username, key file, and a real host name. The virtual host name can then be used in your Git remote configuration.
We just replace the canonical host name (something like git-codecommit.us-east-1.amazonaws.com) in the repository URL with our virtual host name:
git remote set-url origin ssh://piedpiper.amazonaws.com/v1/repos/pipernet
Per-Repository SSH Config
This can also be done on a per-repository basis using a custom SSH command in the Git configuration. In this case, we need to modify the connection string to use the username@hostname format, rather than a URL. The username is your SSH Key ID from IAM.
git config core.sshCommand "ssh -i ~/.ssh/id_rsa_piedpiper -F /dev/null APKAEIB4ERJR3EXAMPLE@git-codecommit.us-east-1.amazonaws.com/v1/repos/pipernet"The downside of this approach is it limits you to a single SSH remote repository.
