Connecting AWS CodeCommit in Multiple Accounts via SSH

Home, Bangkok, Thailand, 2020-08-12 10:12 +0700

#software_engineering #cloud

 

Over the past few months I’ve been using CodeCommit on projects that live in different AWS accounts but always using CodeCommit in the Singapore region. This means I need to connect through the same endpoint (git-codecommit.ap-southeast-1.amazonaws.com) but need to be able to specify different access keys depending on which account I am working with.

Here’s how to set this up.

Scenario

Let’s say I have my-project-a and my-project-b which are tracked in CodeCommit in AccountA and AccountB respectively. I have a single SSH private key which I have registered in both accounts - that SSH key has access key ID APKAACCA in AccountA and APKAACCB in AccountB

Host Aliases

It so happens that SSH allows you to define host aliases that specify different configurations for the same physical endpoint.

So our first step is to open ~/.ssh/config and define a host alias for each AWS Account using the account-specific access key credential:

Host accounta
	HostName git-codecommit.ap-southeast-1.amazonaws.com
	User APKAACCA
	IdentityFile ~/.ssh/id_rsa

Host accountb
	HostName git-codecommit.ap-southeast-1.amazonaws.com
	User APKAACCB
	IdentityFile ~/.ssh/id_rsa

This now means that if we tell SSH to connect to the host “accounta” it will actually connect to git-codecommit.ap-southeast-1.amazonaws.com using the username AKPAACCA and the SSH private key ~/.ssh/id_rsa.

Note that there is no DNS-resolvable name “accounta” - it’s not even defined in our hosts file - this is an alias that SSH understands. Also note that I have placed the private portion of the keypair that I registered in each account at ~/.ssh/id_rsa - but this could be located elsewhere on my machine.

Remotes

Now we can just clone using that host alias:

λ git clone ssh://accounta/v1/repos/my-project-a

Or if the clone already exists with the CodeCommit endpoint as it’s URL we can update the URL to use the host alias:

λ git remote set-url origin ssh://accounta/v1/repos/my-project-a

Suggestion for Remote Naming

You may find that the default remote name “origin” is fine but since my work is currently spread evenly across CodeCommit in may AWS accounts I’ve taken to naming my remotes the same as my host alias.

This is especially useful for some projects that I have which have remotes in multiple accounts because I can git pull / git push with the name of the account.

For example:

# Create the project locally
λ mkdir my-project
λ cd my-project
λ git init .

# Add the repo in AccountA as a remote
λ git remote add accounta ssh://accounta/v1/repos/my-project

# Add the repo in AccountB as a remote
λ git remote add accountb ssh://accountb/v1/repos/my-project

λ git remote -v
accounta        ssh://accounta/v1/repos/my-project (fetch)
accounta        ssh://accounta/v1/repos/my-project (push)
accountb        ssh://accountb/v1/repos/my-project (fetch)
accountb        ssh://accountb/v1/repos/my-project (push)

λ git pull accounta
...
λ git push accountb
...

Since it’s helpful to do this with my projects that connect to multiple accounts I’ve ended up using this naming pattern on all my CodeCommit clones even those that have only one remote so it’s explicit in the remote URL what account I’m connecting to. I find this useful and would suggest adopting this.

Different Key Pairs

You may also have the need to use different SSH key pairs from the same client workstation.

First of all I would actually recommend against using different keypairs from the same client machine - there’s really no security benefit to it and it just makes things more complicated.

Having said that you may be operating under some policy that requires you to do this - in this case you can just modify your ~/.ssh/config to specify different private keys for each host alias:

Host accounta
	HostName git-codecommit.ap-southeast-1.amazonaws.com
	User APKAACCA
	IdentityFile ~/.ssh/id_rsa_accounta

Host accountb
	HostName git-codecommit.ap-southeast-1.amazonaws.com
	User APKAACCB
	IdentityFile ~/.ssh/id_rsa_accountb

Easy.