AWS CodeCommit

Supported on Enterprise plans.

Available via the Web app.

Site admins can sync Git repositories hosted on AWS CodeCommit with Sourcegraph so that users can search and navigate the repositories.

To connect AWS CodeCommit to Sourcegraph:

  1. Go to Site admin > Manage code hosts > Add repositories
  2. Select AWS CodeCommit repositories.
  3. Configure the connection to AWS CodeCommit using the action buttons above the text field, and additional fields can be added using Cmd/Ctrl+Space for auto-completion. See the configuration documentation below.
  4. Press Add repositories.

AWS CodeCommit Git credentials

Since version 3.4 of Sourcegraph, the AWS CodeCommit service requires Git credentials in order to clone repositories via HTTPS. Git credentials consist of a username and a password that you can create in AWS IAM.

For detailed instructions on how to create the credentials in IAM, see: Setup for HTTPS Users Using Git Credentials

We don't plan to implement and support authentication roles for AWS CodeCommit such as IAM Roles, for example AssumeRole or IAM Anywhere. We encourage CodeCommit customers to continue Sourcegraph's provisions as shown in the schema below.

Configuration

AWS CodeCommit connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.

admin/code_hosts/aws_codecommit.schema.json

JSON
{
	"$id": "aws_codecommit.schema.json#",
	"$schema": "http://json-schema.org/draft-07/schema#",
	"additionalProperties": false,
	"allowComments": true,
	"description": "Configuration for a connection to AWS CodeCommit.",
	"properties": {
		"accessKeyID": {
			"description": "The AWS access key ID to use when listing and updating repositories from AWS CodeCommit. Must have the AWSCodeCommitReadOnly IAM policy.",
			"type": "string"
		},
		"exclude": {
			"description": "A list of repositories to never mirror from AWS CodeCommit. \n\nSupports excluding by name ({\"name\": \"git-codecommit.us-west-1.amazonaws.com/repo-name\"}) or by ARN ({\"id\": \"arn:aws:codecommit:us-west-1:999999999999:name\"}).",
			"examples": [
				[
					{
						"name": "go-monorepo"
					},
					{
						"id": "f001337a-3450-46fd-b7d2-650c0EXAMPLE"
					}
				],
				[
					{
						"name": "go-monorepo"
					},
					{
						"name": "go-client"
					}
				]
			],
			"items": {
				"additionalProperties": false,
				"anyOf": [
					{
						"required": [
							"name"
						]
					},
					{
						"required": [
							"id"
						]
					}
				],
				"properties": {
					"id": {
						"description": "The ID of an AWS Code Commit repository (as returned by the AWS API) to exclude from mirroring. Use this to exclude the repository, even if renamed, or to differentiate between repositories with the same name in multiple regions.",
						"pattern": "^[\\w-]+$",
						"type": "string"
					},
					"name": {
						"description": "The name of an AWS CodeCommit repository (\"repo-name\") to exclude from mirroring.",
						"pattern": "^[\\w.-]+$",
						"type": "string"
					}
				},
				"title": "ExcludedAWSCodeCommitRepo",
				"type": "object"
			},
			"minItems": 1,
			"type": "array"
		},
		"gitCredentials": {
			"description": "The Git credentials used for authentication when cloning an AWS CodeCommit repository over HTTPS.\n\nSee the AWS CodeCommit documentation on Git credentials for CodeCommit: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_ssh-keys.html#git-credentials-code-commit.\nFor detailed instructions on how to create the credentials in IAM, see this page: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html",
			"properties": {
				"password": {
					"description": "The Git password",
					"minLength": 1,
					"type": "string"
				},
				"username": {
					"description": "The Git username",
					"minLength": 1,
					"type": "string"
				}
			},
			"required": [
				"username",
				"password"
			],
			"title": "AWSCodeCommitGitCredentials",
			"type": "object"
		},
		"gitSSHCipher": {
			"$ref": "git.schema.json#/definitions/gitSSHCipher",
			"description": "SSH cipher to use when cloning via SSH. Must be a valid choice from `ssh -Q cipher`."
		},
		"gitSSHCredential": {
			"$ref": "git.schema.json#/definitions/gitSSHCredential",
			"description": "SSH keys to use when cloning Git repo."
		},
		"gitSSHKeyID": {
			"description": "The ID of the SSH key created for your IAM users. It is required when using SSH to clone repositories.",
			"type": "string"
		},
		"gitURLType": {
			"default": "http",
			"description": "The type of Git URLs to use for cloning and fetching Git repositories.",
			"enum": [
				"http",
				"ssh"
			],
			"type": "string"
		},
		"initialRepositoryEnablement": {
			"default": false,
			"description": "Deprecated and ignored field which will be removed entirely in the next release. AWS CodeCommit repositories can no longer be enabled or disabled explicitly. Configure which repositories should not be mirrored via \"exclude\" instead.",
			"type": "boolean"
		},
		"maxDeletions": {
			"default": 0,
			"description": "The maximum number of repos that will be deleted per sync. A value of 0 or less indicates no maximum.",
			"type": "integer"
		},
		"region": {
			"default": "us-east-1",
			"description": "The AWS region in which to access AWS CodeCommit. See the list of supported regions at https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git.",
			"enum": [
				"ap-northeast-1",
				"ap-northeast-2",
				"ap-south-1",
				"ap-southeast-1",
				"ap-southeast-2",
				"ca-central-1",
				"eu-central-1",
				"eu-west-1",
				"eu-west-2",
				"eu-west-3",
				"sa-east-1",
				"us-east-1",
				"us-east-2",
				"us-west-1",
				"us-west-2"
			],
			"pattern": "^[a-z\\d-]+$",
			"type": "string"
		},
		"repositoryPathPattern": {
			"default": "{name}",
			"description": "The pattern used to generate a the corresponding Sourcegraph repository name for an AWS CodeCommit repository. In the pattern, the variable \"{name}\" is replaced with the repository's name.\n\nFor example, if your Sourcegraph instance is at https://src.example.com, then a repositoryPathPattern of \"awsrepos/{name}\" would mean that a AWS CodeCommit repository named \"myrepo\" is available on Sourcegraph at https://src.example.com/awsrepos/myrepo.\n\nIt is important that the Sourcegraph repository name generated with this pattern be unique to this code host. If different code hosts generate repository names that collide, Sourcegraph's behavior is undefined.",
			"examples": [
				"git-codecommit.us-west-1.amazonaws.com/{name}",
				"git-codecommit.eu-central-1.amazonaws.com/{name}"
			],
			"type": "string"
		},
		"secretAccessKey": {
			"description": "The AWS secret access key (that corresponds to the AWS access key ID set in `accessKeyID`).",
			"type": "string"
		}
	},
	"required": [
		"region",
		"accessKeyID",
		"secretAccessKey",
		"gitCredentials"
	],
	"title": "AWSCodeCommitConnection",
	"type": "object"
}

Configuration Notes

Git Credentials Requirement

AWS CodeCommit requires Git credentials for HTTPS authentication since Sourcegraph version 3.4:

  • Git credentials consist of a username and password generated in AWS IAM
  • These are different from your regular AWS access keys
  • Follow the AWS Git credentials setup guide for detailed instructions

Repository Path Patterns

The repositoryPathPattern field allows customization of repository URLs within Sourcegraph:

  • Default pattern: "{name}" results in URLs like src.example.com/myrepo
  • Region-specific pattern: "git-codecommit.us-west-1.amazonaws.com/{name}" for better organization
  • Ensure patterns generate unique repository names to avoid conflicts

Authentication Methods

AWS CodeCommit supports both HTTPS and SSH authentication:

  • HTTPS: Uses Git credentials (username/password) - recommended for simplicity
  • SSH: Uses SSH key pairs - requires additional key management setup

Security Considerations

IAM Permissions

  • The AWS access key must have the AWSCodeCommitReadOnly IAM policy attached minimum
  • Consider using more restrictive custom policies that limit access to specific repositories
  • Never use root account credentials - create dedicated IAM users for Sourcegraph

Credential Storage

  • Store AWS access keys and secrets securely using Sourcegraph's secret management
  • For SSH setups, ensure private keys are base64 encoded and properly secured
  • Regularly rotate AWS access keys according to security best practices

Network Access

  • Ensure Sourcegraph can reach AWS CodeCommit endpoints in your configured region
  • Consider VPC endpoints for private network access to CodeCommit
  • Review AWS CloudTrail logs for monitoring repository access

SSH Key Security

  • Generate SSH keys without passphrases for automated access
  • Store private keys securely and base64 encode them for configuration
  • Regularly rotate SSH keys and update configurations accordingly

Common Examples

Basic HTTPS Configuration

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key", 
  "region": "us-east-1",
  "gitCredentials": {
    "username": "git-username",
    "password": "git-password"
  },
  "repositoryPathPattern": "{name}"
}

Region-Specific Setup

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "eu-central-1", 
  "gitCredentials": {
    "username": "git-username",
    "password": "git-password"
  },
  "repositoryPathPattern": "git-codecommit.eu-central-1.amazonaws.com/{name}"
}

SSH Configuration

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "us-west-1",
  "gitURLType": "ssh",
  "gitSSHKeyID": "APKA...",
  "gitSSHCredential": {
    "privateKey": "LS0tLS1CRUdJTi...",
    "passphrase": ""
  }
}

Selective Repository Sync

JSON
{
  "accessKeyID": "AKIA...",
  "secretAccessKey": "your-secret-key",
  "region": "us-east-1",
  "gitCredentials": {
    "username": "git-username", 
    "password": "git-password"
  },
  "exclude": [
    {"name": "internal-temp-repo"},
    {"name": "archived-project"}
  ]
}

Best Practices

Performance and Reliability

  • Regional Deployment: Deploy Sourcegraph in the same AWS region as your CodeCommit repositories for optimal performance
  • Repository Exclusion: Use the exclude field to avoid syncing temporary or archived repositories
  • Connection Monitoring: Regularly verify that your AWS credentials remain valid and have appropriate permissions

Operational Management

  • Credential Rotation: Implement regular rotation of AWS access keys and Git credentials
  • Monitoring: Set up CloudWatch alarms for CodeCommit API usage and authentication failures
  • Backup Strategy: Ensure your repository syncing strategy aligns with your backup and disaster recovery plans

Deployment Considerations

  • Docker Deployments: For SSH setups, properly mount SSH configuration files into containers
  • Kubernetes Deployments: Use secrets for credential management and configure SSH access appropriately
  • Container Restart: Plan for service restarts when updating SSH keys or credentials

Migration and Setup

  • Testing: Always test your configuration with a small subset of repositories first
  • Documentation: Document your repository path patterns and credential management processes
  • Access Validation: Verify Sourcegraph can access all intended repositories before full deployment

Mounting SSH keys into the container

  1. Copy all the files at your $HOME/.ssh directory to $HOME/.sourcegraph/config/ssh directory. See docs for more information about our ssh file system.
    1. Read our guide here for Docker Compose deployments
    2. Read our guide here for Kubernetes deployments
  2. Start (or restart) the container.
  3. Connect Sourcegraph to AWS CodeCommit by going to Sourcegraph > Site Admin > Manage code hosts > Generic Git host and add the following:
JSON
"url": "ssh://git-codecommit.us-west-1.amazonaws.com", //Please replace the 'us-east-1' region with yours
  "repos": [
    "v1/repos/REPO_NAME_1",
    "v1/repos/REPO_NAME_2",
  ]