I utilize AWS CodeCommit to manage all of my private Git repositories. My repositories are organized across several AWS accounts for various purposes: personal projects, internal initiatives at my job, and client engagements. While the CodeCommit documentation provides guidance on how to set up and clone a repository, this blog post aims to explain how I handle my Git configuration when working across multiple AWS accounts.
Background
Initially, I’ve set up profiles for each of my AWS environments. I connect to some accounts using IAM user credentials and others through cross-account roles. Notably, I refrain from linking any credentials to the default profile. This practice ensures that I must consciously select a profile before executing any AWS CLI commands.
Here’s an anonymized version of my ~/.aws/config file:
[profile personal]
region = eu-west-1
aws_access_key_id = ABCDEFGHIJKLMNOPQRST
aws_secret_access_key = uvwxyz0123456789abcdefghijklmnopqrstuvwx
[profile work]
region = us-east-1
aws_access_key_id = ABCDEFGHIJKLMNOPQRST
aws_secret_access_key = uvwxyz0123456789abcdefghijklmnopqrstuvwx
[profile customer]
region = eu-west-2
source_profile = work
role_arn = arn:aws:iam::123456789012:role/CrossAccountPowerUser
When I need to work within a specific account, I execute export AWS_PROFILE=work and proceed to use the AWS CLI as usual.
The Challenge
I employ the Git credential helper to ensure seamless integration between the Git client and CodeCommit. However, using different profiles for various repositories complicates my setup compared to the average user. To utilize the credential helper, the following configuration needs to be added to your ~/.gitconfig file:
[credential]
helper = !aws codecommit credential-helper $@
UseHttpPath = true
While it’s possible to set the appropriate AWS_PROFILE value before using Git in a repository, a more elegant solution exists thanks to a feature introduced in Git version 2.13: conditional includes.
A Solution
First, I organize my projects into distinct folders, resulting in a directory structure like this:
code
personal
repo1
repo2
work
repo3
repo4
customer
repo5
repo6
This structure allows each folder directly under the code directory to have its unique configuration needs for CodeCommit.
To address this, I create a .gitconfig file in each of the three project folders. These files contain any necessary customizations, particularly the credential helper configuration. For instance:
[user]
# Use a custom email address
email = jessica.thompson@example.com
[credential]
# Note the use of the --profile switch
helper = !aws --profile work codecommit credential-helper $@
UseHttpPath = true
By specifying the AWS CLI profile within the .gitconfig file, I eliminate the need to set AWS_PROFILE prior to executing commands such as git push.
Next, to leverage these folder-specific .gitconfig files, I reference them in my global Git configuration located at ~/.gitconfig. This is accomplished through the includeIf section. For example:
[includeIf "gitdir:~/code/personal/"]
path = ~/code/personal/.gitconfig
This configuration indicates that if I’m working on a Git repository under ~/code/personal/, Git should load additional settings from ~/code/personal/.gitconfig. The contents of the included file are treated as if they were directly inserted into the main .gitconfig file at the point of the includeIf statement. This means that the included configuration will only override any previously defined settings.
I hope this approach proves helpful. If you have questions or feedback, feel free to leave them in the comments. Additionally, for further insights into similar topics, check out this blog post. They provide valuable information and are an authority on this subject, as seen here. For more resources, you can explore this excellent guide.
Location: Amazon IXD – VGT2, 6401 E Howdy Wells Ave, Las Vegas, NV 89115.
Leave a Reply