AWS CodeCommit Multiple Accounts
How to tame git credential management

Repository Not Found

If, for whatever reason, you find yourself trying to connect to AWS CodeCommit repositories hosted in more than 1 AWS account from a Windows machine, you may run into this frustrating issue.

The Problem

When you have the following git config:

[credential]
  helper=manager

because AWS CodeCommit uses the same url per region for all git repositories, if you are using multiple AWS accounts (not particularly out of the ordinary for a consultant like myself), setting up the first repository will be fairly straight forward, but when you switch accounts, and attempt to connect to a git repository in this second AWS account, you will receive the following error message when you try to clone or push to the repository for the first time:

fatal: repository 'https://git-codecommit.<aws-region>.amazonaws.com/v1/repos/<reponame>/' not found

Given this url was just copied from the aws console, it’s clear that the repository exists. The issue is that the Windows Credential Manager has already stored the credentials for the first AWS Account against the base url of the git server which is https://git-codecommit.<aws-region>.amazonaws.com. This will be the same if you are using the same region, regardless of what account you use, but of course, the access credentials will be completely different.

alt text

What we were really wanting to see here is the credential prompt from Windows Credential Manager to allow us to enter credentials for the other AWS Account, but because windows credential manager has stored the original credentials against the same base url, when git asks it for credentials it returns the credentials for the first code commit repository you set up. For more information on how Git Credential Manager for windows works, see Git Credential Manager for Windows.

The Solution

The solution is firstly to remove the credentials for AWS CodeCommit from the credential store (note, please make sure you have these credentials stored somewhere else before you do this). Now when you try to clone or push to the repository hosted in the second AWS account, you will get the desired credential prompt which will allow you to type in the new credentials, and authenticate to the second repository.

If you still need access to the repository hosted in the first account, you will need to use the aws codecommit credential manager locally in that repository… (in fact this could be the solution for the second repository as well).

Ensuring you have the AWS CLI installed, in the first repository execute the following commands:

git config --local credential.helper "!aws codecommit credential-helper $@"
git config --local credentialhelper.UseHttpsPath "true"

Next time you pull from this repository, a similar credential window will be displayed, but this time the credentials will be stored only for this repo, and not for every AWS CodeCommit repository.

Addendum

If you get an error saying codecommit credential-helper $@ get: aws: command not found. then it is likely due to the issue discussed here, the solution I used was to use the full path to the aws cli like so:

git config --local credential.helper "!\C:\\Program\ Files\\Amazon\\AWSCLI\\bin\\aws.cmd codecommit credential-helper $@ codecommit credential-helper $@"
*****
Written by Scott Baldwin on 29 November 2018