Git clone works in AWS CodeCommit but pushing fails with 403

Question

I can clone my CodeCommit repository successfully, but when I try to push to it, I get 403. Fetching and pulling works, however. It's as if I have read-only access.

I have setup my .gitconfig to use AWS CLI for credential manager:

[credential]
        helper = !aws --profile builder codecommit credential-helper $@
        UseHttpPath = true

The problem is that the error doesn't tell me why pushing is failing:

$ git push origin test-branch
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-example-repo/': The requested URL returned error: 403

Most questions on the internet about his error are when cloning fails, but cloning works for me. I found this question where cloning succeeds and pushing fails, but his error is different - aws codecommit cannot push.

Edit:: After looking at my CodeCommit policy, it has Full: Read Limited: List, Write:

There is also a ResourceSpecifier = foo-*, but that holds for GitPull permission and pulling works, so I doubt it's the resource specifier.

Ok, how are you using git on windows? Do you have a credentials manager installed? Using Eclipse? Visual Studio? Git Bash or Cygwin? And versions of how you are using git. — strongjz, Nov 16 '17 at 13:59
I use git bash for Windows from the official site. But keep in mind that cloning and pulling already work. Most of the problems you have in mind would have prevented me from cloning, not just pushing. — sashoalm, Nov 16 '17 at 14:14

score 4 · Answer 1 · answered Mar 08 '18 at 00:50

4

For MacOS: Delete the code-commit internet passwords in Keychain and try again. Also:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

answered Mar 08 '18 at 00:50

woodpav

1,917
2
13
26

score 1 · Accepted Answer · answered Nov 15 '17 at 19:39

1

I imagine you're right about the read-only permissions. As the docs state, you need the codecommit:GitPush permission in your IAM policy to be allowed to push commits from your local repository to the CodeCommit repository.

Being able to pull the repository means your credentials are set up correctly, if they weren't you wouldn't be able to git pull / git fetch at all.

answered Nov 15 '17 at 19:39

Tom Nijs

3,835
3
22
40

I updated my question with details about my IAM policy. – sashoalm Nov 16 '17 at 13:36
Could you include your actual policy? It'll have the actual specific permissions you have as opposed to 'limited' which could be any number of things. – Tom Nijs Nov 16 '17 at 14:09
1

I found it it was indeed the `ResourceSpecifier`. After changing it in the Policy so it matched my repo name, it started working. I'll accept your answer since it led me in the right direction. – sashoalm Nov 18 '17 at 00:00

score 0 · Answer 3 · answered Nov 18 '17 at 09:45

@Tom's answer sent me in the right direction. To expand on it, the reason was that my user had a write permissions only for repositories whose name matches a certain pattern containing wildcards.

This pattern is from the policy JSON, and looks like this:

"Resource": "arn:aws:codecommit:*:*:bar*"

This pattern would give me write access to any repository whose names starts with bar, so I could push to a repo named bar or bar2, but not to a repo named foo-bar because it doesn't start with bar even though it contains it.

Git clone works in AWS CodeCommit but pushing fails with 403

3 Answers3