Photo by Alex Smith on Unsplash

AWS CodeCommit on OSX & unable to access / returned error: 403

Accessing a repository with https protocol should be very simple but on OSX it is currently broken — but there is a solution.

The Problem

After you connect to a CodeCommit repository with HTTPS for the first time, subsequent access fails after about fifteen minutes. The default Git version on macOS uses the Keychain Access utility to store credentials. For security measures, the password generated for access to your CodeCommit repository is temporary, so the credentials stored in the keychain stop working after about 15 minutes.

There is a great User Guide from the AWS Team which offers 3 options:

A) Install a version of Git that does not use the keychain by default.
B) Configure the Keychain Access utility to not provide credentials for CodeCommit repositories.
C) Connect with SSH instead of HTTPS
D) Allow in Keychain Access utility to access the item
E) use AWS git codecommit protocol plugin — UPDATE 2020–05–06: I now use Option E) instead of Option D) and fixed some problems “Fix AWS git-remote-codecommit SyntaxWarning / Namespace cli_binary_format

I did not considered A) as I enjoy that git is using the keychain on other projects. B) is not really an option as it will globally disable access of git to the keychain. C) is an good option but much harder to setup with AWS CodeCommit.

I went with D) which forces you to delete the entry which gets created by each request to delete in the keychain utility app 15 minutes after the first access. To make it easier I wrote this simple bash script:


It does work, but every time I pushed and forgot to call this script, I got an 403 error. The <aws_access_key_id> was hard coded, using it for an other aws profiles needed a change.

The Solution

Looking under hood of git credential helper I thought it might be possible to wrap the helper and include the call to delete the credentials in the keychain. Additional I wanted a more flexible solution to get the “aws_access_key_id” by only setting the profile name.

To use this solution:

  1. get script and place it in a central place
  2. go to your project directory and replace the existing aws credential helper with this command (one line!):
    git config — local credential.helper ‘!~/bin/ AWS_PROFILE’

DO NOT forget to replace the path “~/bin/” with your local path to the script and “AWS_PROFILE” with the required profile or “default”

After this, your “.git/config” should have a section wich looks like this:[credential]
helper = !~/bin/ PROFILENAME

Any request to request to the remote repository e.g. “git pull”will now routed through this wraper and getting 403 errors are gone.

Fast-track professional successful in the design, development and deployment of technology strategies and policy. Experienced leading Internet and IS operations