25

Having an incredibly difficult time figuring out how to get AWS CodeCommit to work with standard SSH authentication. Seen another topic like this but no answer and I'm not allowed to comment yet. This is on Windows using Git Bash.

Repro Steps

  1. Created IAM user with full permissions (AwsAdministrator)
  2. From Git Bash in ~/.ssh
  3. "cat id_rsa.pub" and copy output to clipboard
  4. In IAM console, click button to add SSH key and paste into the input field. Click Save.
  5. Attempt to access a CodeCommit repo (in this case trying to push) and get "Permission denied".

Git + SSH output

This is what I get from SSH with DEBUG3 logging:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/Dan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:<omitted>
debug3: sign_and_send_pubkey: RSA SHA256:<same-as-above>
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
fatal: Could not read from remote repository.

For comparison this is what I get using the exact same SSH keys to GitHub:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/Dan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:<same-as-above>
debug3: sign_and_send_pubkey: RSA SHA256:<same-as-above>
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([192.30.252.130]:22).

The above output was from running a normal git command such as git push origin master with ssh debug logging enabled in .ssh/config:

Host git-codecommit.us-east-1.amazonaws.com
  LogLevel DEBUG3

Host github.com
  LogLevel DEBUG3
Dan
  • 293
  • 1
  • 3
  • 8
  • what is the command you are using to get this log? What can you see in the server error log? – Jakuje Jan 03 '16 at 19:49
  • @Jakuje updated the description with how I ran the command to get the log. Don't know how I would see the server log for AWS and GitHub? – Dan Jan 04 '16 at 04:14

9 Answers9

29

It looks like you missed a step in setting up SSH. You need to add this information to your .ssh/config file:

Host git-codecommit.us-east-1.amazonaws.com
   User Your-SSH-Key-ID, such as APKAEIBAERJR2EXAMPLE
   IdentityFile Your-Private-Key-File, such as ~/.ssh/codecommit_rsa or ~/.ssh/id_rsa

You can get Your-SSH-Key-ID from the IAM console.

Wade Matveyenko
  • 4,290
  • 1
  • 23
  • 27
  • 2
    That was indeed the problem, thanks! Would have been far more obvious If I had looked at the [Linux/Mac steps here](http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html) instead of trying to translate the [Windows steps here](http://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-windows.html) – Dan Jan 05 '16 at 04:07
  • I was relying on a config file created by sourcetree and it wasn't working. Once I change my config file to this it worked – Brian McCall May 03 '18 at 21:47
6

My case was a bit different.

The "Security credentials" tab has both "Access keys" and "SSH keys for AWS CodeCommit". Make sure you're using the CodeCommit key id. enter image description here

dejanualex
  • 3,872
  • 6
  • 22
  • 37
ᴍᴇʜᴏᴠ
  • 4,804
  • 4
  • 44
  • 57
  • I uploaded the key correctly, but when I went to copy the ID I grabbed the wrong one, thanks for adding this, I'd have lost my mind otherwise. – Richard Dunn Aug 11 '22 at 18:14
  • 1
    daam, I've taken the Acces key ID by mistake (added the pic for clarity) and lost a good amount of time trying to figure why out even git clone ssh://Your-SSH-Key-ID@... didn't work – dejanualex Sep 21 '22 at 20:00
5

enter image description hereThis worked

Host git-codecommit.us-west-2.amazonaws.com
    User SSHKEYID
    IdentityFile ~/.ssh/id_rsa
Prajwol KC
  • 398
  • 6
  • 13
5

Try to use sshkey-ID when making git clone enter image description here

So git clone should look like this:

git clone ssh://<SSHKEY-ID>@git-codecommit.<REGION>.amazonaws.com/v1/repos/<REPO-NAME>
Taras Vaskiv
  • 2,215
  • 1
  • 18
  • 17
3

Please follow the following documentation from the AWS

Linux

https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html

Windows

https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-windows.html

I have tested setting up SSH connection for windows only, please test the SSH connection for Linux by following the above mentioned link;

Following are the steps for setting up the SSH connection for codecommit on Windows 10.

Step 1

Initial configuration for CodeCommit(Please refer documentation link)

Step 2

Install Git(Please refer documentation link)

step 3

Generate ssh key by running following command:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

after running this command it should generate public key(.pub) and private key in C:\Users{user name here}.ssh directory

Step 4

Login into the aws management console and go to IAM-->Users --> Select Target User --> Security credentials Tab -->SSH keys for AWS CodeCommit and click upload ssh key. Copy paste the contents of the public key e.g C:\Users{user name here}.ssh\id_rsa.pub and save changes.But You can choose different name for your publc key(id_rsa.pub) while using the command ssh-keygen -t rsa -b 4096 -C "your_email@example.com".

step 5:

after uploading the public key ,copy the SSH key ID .

Step 6

create C:\Users{user name here}.ssh\config file (with no file extenstion,in windows save it as config and select all file types option. Config.txt most probbly will not work). paste the following contents in the C:\Users{user name here}.ssh\config file:

Host git-codecommit.*.amazonaws.com
  User {copy SSH key ID here}
  IdentityFile ~/.ssh/{copy name of the public key here }
  
Host git-codecommit.*.amazonaws.com
  User THISISEXMAPLE123
  IdentityFile ~/.ssh/id_rsa

Step 7

  git clone ssh://Your-SSH-Key-ID@git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo
rafiquenazir
  • 246
  • 2
  • 8
1

Make sure the config file is not saved as txt file and use SSH Key ID, not Access

Faraz Mirza
  • 11
  • 1
0

Changes in AWS core configuration vary. You can possibly get all the configurations right and still have issues with the connection. To to be direct and explicit.

enter image description here

Try changing the default git url origin like this from old to <KEY_ID>@git-codecomitxxxxxxxx/v1/repos/xxxxx make sure the key services as user owner of the repository

and push again.

Codedreamer
  • 1,552
  • 15
  • 13
0

In my case I configured ~/.ssh/config as following

Host remote
  HostName  git-codecommit.us-east-1.amazonaws.com
  User APLAY5AJ2VA0XEXAMPLE
  IdentityFile ~/.ssh/id_rsa

and I tried cloning with the command

git clone ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/repo-name

and resulted in permission denied.

but by running the following command did the job.

git clone ssh://remote/v1/repos/repo-name
Harshil Modi
  • 397
  • 3
  • 8
  • 15
0

The problem that you have is that Windows automatically saves the config file as a config.txt during Step 8 to 9 of the AWS documentation.

https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-windows.html?icmpid=docs_acc_console_connect_np#setting-up-ssh-windows-keys-windows

You can over come this by following the instructions below

  1. Open up a cmd
  2. cd Users\Mr.S>cd C:\Users\Mr.S.ssh (Here you are navigating to the .ssh directory where the config.txt file is located)
  3. Type copy config.txt config (Here you are converting the config.txt file into a config file by using the copy function

Once you've done the above, proceed to the next step.

Mr.S
  • 1