Over the past few months I’ve been using CodeCommit on projects that live in different AWS accounts but always using CodeCommit in the Singapore region. This means I need to connect through the same endpoint (git-codecommit.ap-southeast-1.amazonaws.com) but need to be able to specify different access keys depending on which account I am working with.
Here’s how to set this up.
Scenario
Let’s say I have my-project-a and my-project-b which are tracked in CodeCommit in AccountA and AccountB respectively. I have a single SSH private key which I have registered in both accounts - that SSH key has access key ID APKAACCA in AccountA and APKAACCB in AccountB
Host Aliases
It so happens that SSH allows you to define host aliases that specify different configurations for the same physical endpoint.
So our first step is to open ~/.ssh/config and define a host alias for each AWS Account using the account-specific access key credential:
Host accounta
HostName git-codecommit.ap-southeast-1.amazonaws.com
User APKAACCA
IdentityFile ~/.ssh/id_rsa
Host accountb
HostName git-codecommit.ap-southeast-1.amazonaws.com
User APKAACCB
IdentityFile ~/.ssh/id_rsa
This now means that if we tell SSH to connect to the host “accounta” it will actually connect to git-codecommit.ap-southeast-1.amazonaws.com using the username AKPAACCA and the SSH private key ~/.ssh/id_rsa.
Note that there is no DNS-resolvable name “accounta” - it’s not even defined in our hosts file - this is an alias that SSH understands. Also note that I have placed the private portion of the keypair that I registered in each account at ~/.ssh/id_rsa - but this could be located elsewhere on my machine.
Remotes
Now we can just clone using that host alias:
λ git clone ssh://accounta/v1/repos/my-project-a
Or if the clone already exists with the CodeCommit endpoint as it’s URL we can update the URL to use the host alias:
λ git remote set-url origin ssh://accounta/v1/repos/my-project-a
Suggestion for Remote Naming
You may find that the default remote name “origin” is fine but since my work is currently spread evenly across CodeCommit in may AWS accounts I’ve taken to naming my remotes the same as my host alias.
This is especially useful for some projects that I have which have remotes in multiple accounts because I can git pull / git push with the name of the account.
For example:
# Create the project locally
λ mkdir my-project
λ cd my-project
λ git init .
# Add the repo in AccountA as a remote
λ git remote add accounta ssh://accounta/v1/repos/my-project
# Add the repo in AccountB as a remote
λ git remote add accountb ssh://accountb/v1/repos/my-project
λ git remote -v
accounta ssh://accounta/v1/repos/my-project (fetch)
accounta ssh://accounta/v1/repos/my-project (push)
accountb ssh://accountb/v1/repos/my-project (fetch)
accountb ssh://accountb/v1/repos/my-project (push)
λ git pull accounta
...
λ git push accountb
...
Since it’s helpful to do this with my projects that connect to multiple accounts I’ve ended up using this naming pattern on all my CodeCommit clones even those that have only one remote so it’s explicit in the remote URL what account I’m connecting to. I find this useful and would suggest adopting this.
Different Key Pairs
You may also have the need to use different SSH key pairs from the same client workstation.
First of all I would actually recommend against using different keypairs from the same client machine - there’s really no security benefit to it and it just makes things more complicated.
Having said that you may be operating under some policy that requires you to do this - in this case you can just modify your ~/.ssh/config to specify different private keys for each host alias:
Host accounta
HostName git-codecommit.ap-southeast-1.amazonaws.com
User APKAACCA
IdentityFile ~/.ssh/id_rsa_accounta
Host accountb
HostName git-codecommit.ap-southeast-1.amazonaws.com
User APKAACCB
IdentityFile ~/.ssh/id_rsa_accountb
Easy.