Tag Archives: CodeCommit

Using CloudFormation to bootstrap EC2 instances with scripts from CodeCommit

While spinning up EC2 instances you can bootstrap them with packages, files, etc in different ways. For our stack we wanted to pull scripts from an AWS CodeCommit to make life easier.

The (bash) scripts are stored in our CodeCommit so first we need to make sure the EC2 instances, while spinning up, are allowed to access the repository. So we created an IAM Policy with these sufficient rights and attach the policy to a IAM role which we can use to attach to our EC2 instances.

AWS IAM Policy:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:codecommit:*:*:terra10-scripts"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

We make sure the EC2 instances uses the new IAM Role by defining IamInstanceProfile with our example IAM Role t10-ec2-role in the CloudFormation template. Further on by using the UserData segment we can execute scripts during bootstrap of the server. Install the AWSCLI is required for the credential helper

  Type: AWS::EC2::Instance
    ImageId: !Ref HostAMI
    InstanceType: t2.micro
    IamInstanceProfile: t10-ec2-role
      - Key: Name
        Value: t10-k8s-controller1
      Fn::Base64: !Sub |
        #!bin/bash -xe
        apt-get update
        apt-get -y install awscli
        cd /tmp
        echo "######## git pull AWS CodeCommit files"
        sudo git config --global credential.helper '!aws codecommit credential-helper $@'
        sudo git config --global credential.UseHttpPath true
        sudo git clone /tmp/terra10-scripts


Leave a comment

Posted by on 26-08-2018 in AWS


Tags: , , , ,

How to push to AWS CodeCommit from Mac OS X

When trying to commit to a AWS CodeCommit GIT repository I receive the following error:

jvzoggel$ git push
 fatal: unable to access '': The requested URL returned error: 403

The Amazon website states:

If you are using macOS, use HTTPS to connect to an AWS CodeCommit repository. After you connect to an AWS CodeCommit repository with HTTPS for the first time, subsequent access will fail after about fifteen minutes. The default Git version on macOS uses the Keychain Access utility to store credentials. For security measures, the password generated for access to your AWS CodeCommit repository is temporary, so the credentials stored in the keychain will stop working after about 15 minutes. To prevent these expired credentials from being used, you must either:

  • Install a version of Git that does not use the keychain by default.
  • Configure the Keychain Access utility to not provide credentials for AWS CodeCommit repositories.

I used the second option to fix it, so:

  1. Open the Keychain Access utility (use Finder to locate it)
  2. Search for git-codecommit
  3. Select the row, right-click and then choose Get Info.
  4. Choose the Access Control tab.
  5. In Confirm before allowing access, choose git-credential-osxkeychain, and then choose the minus sign to remove it from the list.


After removing git-credential-osxkeychain from the list, you will see a pop-up dialog whenever you run a Git command. Choose Deny to continue. The pop-up is really annoying so I will probably switch over to SSH soon.



1 Comment

Posted by on 18-02-2017 in Uncategorized


Tags: , , , ,