git-remote-codecommit incompatible with aws login command - returns 403 error

[Stansup-Ngoc]

Summary

git-remote-codecommit fails with 403 error when using credentials authenticated via the aws login command (introduced in AWS CLI v2.32.0). The tool cannot read the credentials stored by aws login, making it incompatible with this new authentication method.

Environment

• AWS CLI Version: aws-cli/2.32.21 Python/3.13.11 Windows/11 exe/AMD64
• git-remote-codecommit Version: Version: 1.17
• Python Version: Python 3.12.2
• Operating System: Windows 11
• Git Version:

Steps to Reproduce

1. Install AWS CLI v2.32.0 or later

2. Authenticate using the new aws login command:

   aws login --profile login-profile

   (Browser opens, authentication succeeds)

3. Configure git remote using codecommit protocol:

   git remote add aws codecommit://login-profile@repo

4. Attempt to fetch from the repository:

   git fetch aws

Expected Behavior

The git fetch should succeed, using the credentials obtained via aws login.

Actual Behavior

The fetch fails with a 403 Forbidden error:

fatal: unable to access 'codecommit://login-profile@repo/': The requested URL returned error: 403

Root Cause Analysis

The aws login command (AWS CLI v2.32.0+) uses browser-based OAuth authentication and stores credentials in a different location/format than traditional AWS credentials. git-remote-codecommit attempts to read credentials from:

• ~/.aws/credentials
• ~/.aws/config (standard profiles)
• SSO session cache (when configured via aws configure sso)

However, aws login stores credentials in a format that git-remote-codecommit does not recognize or cannot access.

Workarounds

Option 1: Use IAM User Credentials

aws configure --profile login-profile
# Enter access key ID and secret access key when prompted

Option 2: Use AWS SSO (Identity Center)

aws configure sso --profile login-profile
# Follow prompts to configure SSO
aws sso login --profile login-profile

Both workarounds store credentials in formats that git-remote-codecommit can read.

Documentation References

• aws login documentation: https://docs.aws.amazon.com/signin/latest/userguide/command-line-sign-in.html
• git-remote-codecommit setup: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-git-remote-codecommit.html

Related Issues

• git-remote-codecommit fails to recognize the new ~/.aws/config file formats created by AWS CLI v2.9.x #36 - Issues with new AWS CLI v2.9.x config formats
• Support for CLI v2 #6 - CLI v2 support request

Proposed Solution

git-remote-codecommit should be updated to:

1. Detect and read credentials stored by aws login
2. Support the OAuth-based credential format
3. Or, at minimum, provide a clear error message directing users to use aws configure or aws configure sso instead

Alternatively, AWS documentation should explicitly state that aws login is not compatible with git-remote-codecommit and users should use alternative authentication methods.

Impact

• Severity: Medium - Users can work around this with alternative auth methods
• Frequency: Likely to increase as aws login is promoted as the recommended authentication method
• User Experience: Confusing for new users who follow the latest AWS CLI authentication guidance

Additional Context

I discovered this issue while trying to use the new aws login command as
documented in the official AWS CLI documentation. The documentation suggests
aws login as the recommended method for console credential users, but this
creates an incompatibility with git-remote-codecommit.

This is particularly confusing because:

1. AWS promotes aws login as the easiest way to get started
2. CodeCommit documentation recommends git-remote-codecommit for federated access
3. There's no warning that these two features are incompatible