Photo by Alex Smith on Unsplash

AWS CodeCommit on OSX & unable to access / returned error: 403

Accessing a repository with https protocol should be very simple but on OSX it is currently broken — but there is a solution.

The Problem

After you connect to a CodeCommit repository with HTTPS for the first time, subsequent access fails after about fifteen minutes. The default Git version on macOS uses the Keychain Access utility to store credentials. For security measures, the password generated for access to your CodeCommit repository is temporary, so the credentials stored in the keychain stop working after about 15 minutes.

There is a great User Guide from the AWS Team which offers 3 options:

A) Install a version of Git that does not use the keychain by default.
B) Configure the Keychain Access utility to not provide credentials for CodeCommit repositories.
C) Connect with SSH instead of HTTPS
D) Allow in Keychain Access utility to access the item
E) use AWS git codecommit protocol plugin — UPDATE 2020–05–06: I now use Option E) instead of Option D) and fixed some problems “Fix AWS git-remote-codecommit SyntaxWarning / Namespace cli_binary_format

I did not considered A) as I enjoy that git is using the keychain on other projects. B) is not really an option as it will globally disable access of git to the keychain. C) is an good option but much harder to setup with AWS CodeCommit.

I went with D) which forces you to delete the entry which gets created by each request to delete in the keychain utility app 15 minutes after the first access. To make it easier I wrote this simple bash script:


It does work, but every time I pushed and forgot to call this script, I got an 403 error. The <aws_access_key_id> was hard coded, using it for an other aws profiles needed a change.

The Solution

Looking under hood of git credential helper I thought it might be possible to wrap the helper and include the call to delete the credentials in the keychain. Additional I wanted a more flexible solution to get the “aws_access_key_id” by only setting the profile name.

To use this solution:

  1. get script and place it in a central place
  2. go to your project directory and replace the existing aws credential helper with this command (one line!):
    git config — local credential.helper ‘!~/bin/ AWS_PROFILE’

DO NOT forget to replace the path “~/bin/” with your local path to the script and “AWS_PROFILE” with the required profile or “default”

After this, your “.git/config” should have a section wich looks like this:[credential]
helper = !~/bin/ PROFILENAME

Any request to request to the remote repository e.g. “git pull”will now routed through this wraper and getting 403 errors are gone.




Fast-track professional successful in the design, development and deployment of technology strategies and policy. Experienced leading Internet and IS operations

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting Started with EC2, LEMP (Ubuntu 16.04), and Laravel

The Easiest Way To Compare REST API Responses Using JMeter

Fast-Forwarding Fintech Digital Innovation with DevOps

The Wondrous World of Cloud Audit Logs!

How to Stop Website from Opening new Tabs?

3 ways to do language translation in Python

Super Full Stack Web Developer in Modern Expectation

Competitive Programming dilemma

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andreas Heissenberger

Andreas Heissenberger

Fast-track professional successful in the design, development and deployment of technology strategies and policy. Experienced leading Internet and IS operations

More from Medium

AWS Cognito Basics — User Pools

Move Dead Letter Queue Messages From SQS to DynamoDB using Pulumi

Amazon Honey Code

The architecture of