AWS CodeCommit

Supported on Enterprise plans.

Available via the Web app.

Site admins can sync Git repositories hosted on AWS CodeCommit with Sourcegraph so that users can search and navigate the repositories.

To connect AWS CodeCommit to Sourcegraph:

  1. Go to Site admin > Manage code hosts > Add repositories
  2. Select AWS CodeCommit repositories.
  3. Configure the connection to AWS CodeCommit using the action buttons above the text field, and additional fields can be added using Cmd/Ctrl+Space for auto-completion. See the configuration documentation below.
  4. Press Add repositories.

AWS CodeCommit Git credentials

Since version 3.4 of Sourcegraph, the AWS CodeCommit service requires Git credentials in order to clone repositories via HTTPS. Git credentials consist of a username and a password that you can create in AWS IAM.

For detailed instructions on how to create the credentials in IAM, see: Setup for HTTPS Users Using Git Credentials

We don't plan to implement and support authentication roles for AWS CodeCommit such as IAM Roles, for example AssumeRole or IAM Anywhere. We encourage CodeCommit customers to continue Sourcegraph's provisions as shown in the schema below.

Configuration

AWS CodeCommit connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.

admin/code_hosts/aws_codecommit.schema.json

JSON
{
	// The AWS access key ID to use when listing and updating repositories from AWS CodeCommit. Must have the AWSCodeCommitReadOnly IAM policy.
	"accessKeyID": null,
 
	// A list of repositories to never mirror from AWS CodeCommit.
	//
	// Supports excluding by name ({"name": "git-codecommit.us-west-1.amazonaws.com/repo-name"}) or by ARN ({"id": "arn:aws:codecommit:us-west-1:999999999999:name"}).
	"exclude": null,
	// Other example values:
	// - [
	//     {
	//       "name": "go-monorepo"
	//     },
	//     {
	//       "id": "f001337a-3450-46fd-b7d2-650c0EXAMPLE"
	//     }
	//   ]
	// - [
	//     {
	//       "name": "go-monorepo"
	//     },
	//     {
	//       "name": "go-client"
	//     }
	//   ]
 
	// The Git credentials used for authentication when cloning an AWS CodeCommit repository over HTTPS.
	//
	// See the AWS CodeCommit documentation on Git credentials for CodeCommit: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_ssh-keys.html#git-credentials-code-commit.
	// For detailed instructions on how to create the credentials in IAM, see this page: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html
	"gitCredentials": null,
 
	// Deprecated and ignored field which will be removed entirely in the next release. AWS CodeCommit repositories can no longer be enabled or disabled explicitly. Configure which repositories should not be mirrored via "exclude" instead.
	"initialRepositoryEnablement": false,
 
	// The AWS region in which to access AWS CodeCommit. See the list of supported regions at https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git.
	"region": "us-east-1",
 
	// The pattern used to generate a the corresponding Sourcegraph repository name for an AWS CodeCommit repository. In the pattern, the variable "{name}" is replaced with the repository's name.
	//
	// For example, if your Sourcegraph instance is at https://src.example.com, then a repositoryPathPattern of "awsrepos/{name}" would mean that a AWS CodeCommit repository named "myrepo" is available on Sourcegraph at https://src.example.com/awsrepos/myrepo.
	//
	// It is important that the Sourcegraph repository name generated with this pattern be unique to this code host. If different code hosts generate repository names that collide, Sourcegraph's behavior is undefined.
	"repositoryPathPattern": "{name}",
	// Other example values:
	// - "git-codecommit.us-west-1.amazonaws.com/{name}"
	// - "git-codecommit.eu-central-1.amazonaws.com/{name}"
 
	// The AWS secret access key (that corresponds to the AWS access key ID set in `accessKeyID`).
	"secretAccessKey": null
}

Setup steps for SSH connections to AWS CodeCommit repositories

To add CodeCommit repositories in Docker Container:

  1. Generate a public/private rsa key pair that does not require passphrase as listed in the Step 3.1 of the AWS SSH setup guide. Sourcegraph does not work with the key pair that requires passphrase.
  2. Follow the rest of the steps detailed in the AWS SSH setup guide to make sure you can connect to the code host locally.
  3. Confirm you have the connection by running the following ssh command locally: ssh git-codecommit.us-west-1.amazonaws.com (Update link with your server region)
  4. Confirm you can clone the repository locally.

Configuring SSH credentials in the Web UI

JSON
{
  "gitURLType": "ssh",
  "gitSSHKeyID": "<SSH key ID>",
  "gitSSHCredential": {
    // make sure the key is base64 encoded
    // $ cat ~/.ssh/id_rsa | base64
    "privateKey": "<base64 encoded of the SSH private key>",
    "passphrase": "<passphrase if applicable, omit if none is needed>"
  }
}

Configuration Notes

Git Credentials Requirement

AWS CodeCommit requires Git credentials for HTTPS authentication since Sourcegraph version 3.4:

  • Git credentials consist of a username and password generated in AWS IAM
  • These are different from your regular AWS access keys
  • Follow the AWS Git credentials setup guide for detailed instructions

Repository Path Patterns

The repositoryPathPattern field allows customization of repository URLs within Sourcegraph:

  • Default pattern: "{name}" results in URLs like src.example.com/myrepo
  • Region-specific pattern: "git-codecommit.us-west-1.amazonaws.com/{name}" for better organization
  • Ensure patterns generate unique repository names to avoid conflicts

Authentication Methods

AWS CodeCommit supports both HTTPS and SSH authentication:

  • HTTPS: Uses Git credentials (username/password) - recommended for simplicity
  • SSH: Uses SSH key pairs - requires additional key management setup

Security Considerations

IAM Permissions

  • The AWS access key must have the AWSCodeCommitReadOnly IAM policy attached minimum
  • Consider using more restrictive custom policies that limit access to specific repositories
  • Never use root account credentials - create dedicated IAM users for Sourcegraph

Credential Storage

  • Store AWS access keys and secrets securely using Sourcegraph's secret management
  • For SSH setups, ensure private keys are base64 encoded and properly secured
  • Regularly rotate AWS access keys according to security best practices

Network Access

  • Ensure Sourcegraph can reach AWS CodeCommit endpoints in your configured region
  • Consider VPC endpoints for private network access to CodeCommit
  • Review AWS CloudTrail logs for monitoring repository access

SSH Key Security

  • Generate SSH keys without passphrases for automated access
  • Store private keys securely and base64 encode them for configuration
  • Regularly rotate SSH keys and update configurations accordingly

Common Examples

Basic HTTPS Configuration

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key", 
  "region": "us-east-1",
  "gitCredentials": {
    "username": "git-username",
    "password": "git-password"
  },
  "repositoryPathPattern": "{name}"
}

Region-Specific Setup

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "eu-central-1", 
  "gitCredentials": {
    "username": "git-username",
    "password": "git-password"
  },
  "repositoryPathPattern": "git-codecommit.eu-central-1.amazonaws.com/{name}"
}

SSH Configuration

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "us-west-1",
  "gitURLType": "ssh",
  "gitSSHKeyID": "APKA...",
  "gitSSHCredential": {
    "privateKey": "LS0tLS1CRUdJTi...",
    "passphrase": ""
  }
}

Selective Repository Sync

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "us-east-1",
  "gitCredentials": {
    "username": "git-username", 
    "password": "git-password"
  },
  "exclude": [
    {"name": "internal-temp-repo"},
    {"name": "archived-project"}
  ]
}

Best Practices

Performance and Reliability

  • Regional Deployment: Deploy Sourcegraph in the same AWS region as your CodeCommit repositories for optimal performance
  • Repository Exclusion: Use the exclude field to avoid syncing temporary or archived repositories
  • Connection Monitoring: Regularly verify that your AWS credentials remain valid and have appropriate permissions

Operational Management

  • Credential Rotation: Implement regular rotation of AWS access keys and Git credentials
  • Monitoring: Set up CloudWatch alarms for CodeCommit API usage and authentication failures
  • Backup Strategy: Ensure your repository syncing strategy aligns with your backup and disaster recovery plans

Deployment Considerations

  • Docker Deployments: For SSH setups, properly mount SSH configuration files into containers
  • Kubernetes Deployments: Use secrets for credential management and configure SSH access appropriately
  • Container Restart: Plan for service restarts when updating SSH keys or credentials

Migration and Setup

  • Testing: Always test your configuration with a small subset of repositories first
  • Documentation: Document your repository path patterns and credential management processes
  • Access Validation: Verify Sourcegraph can access all intended repositories before full deployment

Mounting SSH keys into the container

  1. Copy all the files at your $HOME/.ssh directory to $HOME/.sourcegraph/config/ssh directory. See docs for more information about our ssh file system.
    1. Read our guide here for Docker Compose deployments
    2. Read our guide here for Kubernetes deployments
  2. Start (or restart) the container.
  3. Connect Sourcegraph to AWS CodeCommit by going to Sourcegraph > Site Admin > Manage code hosts > Generic Git host and add the following:
JSON
"url": "ssh://git-codecommit.us-west-1.amazonaws.com", //Please replace the 'us-east-1' region with yours
  "repos": [
    "v1/repos/REPO_NAME_1",
    "v1/repos/REPO_NAME_2",
  ]