# Configure cross-account access to an AWS CodeCommit repository using roles
You can configure access to CodeCommit repositories for IAM users and groups in another AWS account. This is often referred to as *cross-account access*. This section provides examples and step-by-step instructions for configuring cross-account access for a repository named *MySharedDemoRepo* in the US East (Ohio) Region in an AWS account (referred to as AccountA) to IAM users who belong to an IAM group named *DevelopersWithCrossAccountRepositoryAccess* in another AWS account (referred to as AccountB).
This section is divided into three parts:
+ Actions for the Administrator in AccountA.
+ Actions for the Administrator in AccountB.
+ Actions for the repository user in AccountB.
To configure cross-account access:
+ The administrator in AccountA signs in as an IAM user with the permissions required to create and manage repositories in CodeCommit and create roles in IAM. If you are using managed policies, apply IAMFullAccess and AWSCodeCommitFullAccess to this IAM user.
The example account ID for AccountA is *111122223333*.
+ The administrator in AccountB signs in as an IAM user with the permissions required to create and manage IAM users and groups, and to configure policies for users and groups. If you are using managed policies, apply IAMFullAccess to this IAM user.
The example account ID for AccountB is *888888888888*.
+ The repository user in AccountB, to emulate the activities of a developer, signs in as an IAM user who is a member of the IAM group created to allow access to the CodeCommit repository in AccountA. This account must be configured with:
+ AWS Management Console access.
+ An access key and secret key to use when connecting to AWS resources and the ARN of the role to assume when accessing repositories in AccountA.
+ The **git-remote-codecommit** utility on the local computer where the repository is cloned. This utility requires Python and its installer, pip. You can download the utility from [https://pypi.org/project/git-remote-codecommit/](https://pypi.org/project/git-remote-codecommit/) on the Python Package Index website.
For more information, see [Setup steps for HTTPS connections to AWS CodeCommit with git-remote-codecommit](setting-up-git-remote-codecommit.md) and [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-users).
**Topics**
+ [
# Cross-account repository access: Actions for the administrator in AccountA
](cross-account-administrator-a.md)
+ [
# Cross-account repository access: Actions for the administrator in AccountB
](cross-account-administrator-b.md)
+ [
# Cross-account repository access: Actions for the repository user in AccountB
](cross-account-user-b.md)
# Cross-account repository access: Actions for the administrator in AccountA
To allow users or groups in AccountB to access a repository in AccountA, an AccountA administrator must:
+ Create a policy in AccountA that grants access to the repository.
+ Create a role in AccountA that can be assumed by IAM users and groups in AccountB.
+ Attach the policy to the role.
The following sections provide steps and examples.
**Topics**
+ [
## Step 1: Create a policy for repository access in AccountA
](#cross-account-create-policy-a)
+ [
## Step 2: Create a role for repository access in AccountA
](#cross-account-create-role-a)
## Step 1: Create a policy for repository access in AccountA
You can create a policy in AccountA that grants access to the repository in AccountA to users in AccountB. Depending on the level of access you want to allow, do one of the following:
+ Configure the policy to allow AccountB users access to a specific repository, but do not allow them to view a list of all repositories in AccountA.
+ Configure additional access to allow AccountB users to choose the repository from a list of all repositories in AccountA.
**To create a policy for repository access**
1. Sign in to the AWS Management Console as an IAM user with permissions to create policies in AccountA.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab, and paste the following JSON policy document into the JSON text box. Replace *us-east-2* with the AWS Region for the repository, *111122223333* with the account ID for AccountA, and *MySharedDemoRepo* with the name for your CodeCommit repository in AccountA:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:BatchGet*",
"codecommit:Create*",
"codecommit:DeleteBranch",
"codecommit:Get*",
"codecommit:List*",
"codecommit:Describe*",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:Merge*",
"codecommit:Test*",
"codecommit:Update*",
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
]
}
]
}
```
------
If you want users who assume this role to be able to view a list of repositories on the CodeCommit console home page, add an additional statement to the policy, as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:BatchGet*",
"codecommit:Create*",
"codecommit:DeleteBranch",
"codecommit:Get*",
"codecommit:List*",
"codecommit:Describe*",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:Merge*",
"codecommit:Test*",
"codecommit:Update*",
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": [
"arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
]
},
{
"Effect": "Allow",
"Action": "codecommit:ListRepositories",
"Resource": "*"
}
]
}
```
------
This access makes it easier for users who assume this role with this policy to find the repository to which they have access. They can choose the name of the repository from the list and be directed to the home page of the shared repository (`Code`). Users cannot access any of the other repositories they see in the list, but they can view the repositories in AccountA on the **Dashboard** page.
If you do not want to allow users who assume the role to be able to view a list of all repositories in AccountA, use the first policy example, but make sure that you send those users a direct link to the home page of the shared repository in the CodeCommit console.
1. Choose **Review policy**. The policy validator reports syntax errors (for example, if you forget to replace the example Amazon Web Services account ID and repository name with your Amazon Web Services account ID and repository name).
1. On the **Review policy** page, enter a name for the policy (for example, *CrossAccountAccessForMySharedDemoRepo*). You can also provide an optional description for this policy. Choose **Create policy**.
## Step 2: Create a role for repository access in AccountA
After you have configured a policy, create a role that IAM users and groups in AccountB can assume, and attach the policy to that role.
**To create a role for repository access**
1. In the IAM console, choose **Roles**.
1. Choose **Create role**.
1. Choose **Another Amazon Web Services account**.
1. In **Account ID**, enter the Amazon Web Services account ID for AccountB (for example, *888888888888*). Choose **Next: Permissions**.
1. In **Attach permissions policies**, select the policy you created in the previous procedure (*CrossAccountAccessForMySharedDemoRepo*). Choose **Next: Review**.
1. In **Role name**, enter a name for the role (for example, *MyCrossAccountRepositoryContributorRole*). You can also enter an optional description to help others understand the purpose of the role.
1. Choose **Create role**.
1. Open the role you just created, and copy the role ARN (for example, `arn:aws:iam::111122223333:role/MyCrossAccountRepositoryContributorRole`). You need to provide this ARN to the AccountB administrator.
# Cross-account repository access: Actions for the administrator in AccountB
To allow users or groups in AccountB to access a repository in AccountA, the AccountB administrator must create a group in AccountB. This group must be configured with a policy that allows group members to assume the role created by the AccountA administrator.
The following sections provide steps and examples.
**Topics**
+ [
## Step 1: Create an IAM group for repository access for AccountB users
](#cross-account-create-group-b)
+ [
## Step 2: Create a policy and add users to the IAM group
](#cross-account-create-policy-b)
## Step 1: Create an IAM group for repository access for AccountB users
The simplest way to manage which IAM users in AccountB can access the AccountA repository is to create an IAM group in AccountB that has permission to assume the role in AccountA, and then add the IAM users to that group.
**To create a group for cross-account repository access**
1. Sign in to the AWS Management Console as an IAM user with the permissions required to create IAM groups and policies and manage IAM users in AccountB.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the IAM console, choose **Groups**.
1. Choose **Create New Group**.
1. In **Group Name**, enter a name for the group (for example, *DevelopersWithCrossAccountRepositoryAccess*). Choose **Next Step**.
1. In **Attach Policy**, choose **Next Step**. You create the cross-account policy in the next procedure. Finish creating the group.
## Step 2: Create a policy and add users to the IAM group
Now that you have a group, create the policy that allows members of this group to assume the role that gives them access to the repository in AccountA. Then add to the group the IAM users in AccountB that you want to allow access in AccountA.
**To create a policy for the group and add users to it**
1. In the IAM console, choose **Groups**, and then choose the name of the group you just created (for example, *DevelopersWithCrossAccountRepositoryAccess*).
1. Choose the **Permissions** tab. Expand **Inline Policies**, and then choose the link to create an inline policy. (If you are configuring a group that already has an inline policy, choose **Create Group Policy**.)
1. Choose **Custom Policy**, and then choose **Select**.
1. In **Policy Name**, enter a name for the policy (for example, *AccessPolicyForSharedRepository*).
1. In **Policy Document**, paste the following policy. In `Resource`, replace the ARN with the ARN of the policy created by the administrator in AccountA (for example, arn:aws:iam::*111122223333*:role/*MyCrossAccountRepositoryContributorRole*), and then choose **Apply Policy**. For more information about the policy created by the administrator in AccountA, see [Step 1: Create a policy for repository access in AccountA](cross-account-administrator-a.md#cross-account-create-policy-a).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/MyCrossAccountRepositoryContributorRole"
}
}
```
------
1. Choose the **Users** tab. Choose **Add Users to Group**, and then add the AccountB IAM users. For example, you might add an IAM user with the user name *Saanvi\$1Sarkar* to the group.
**Note**
Users in AccountB must have programmatic access, including an access key and secret key, to configure their local computers for access to the shared CodeCommit repository. If you are creating IAM users, be sure to save the access key and secret key. To ensure the security of your AWS account, the secret access key is accessible only at the time you create it.
# Cross-account repository access: Actions for the repository user in AccountB
To access the repository in AccountA, users in the AccountB group must configure their local computers for repository access. The following sections provide steps and examples.
**Topics**
+ [
## Step 1: Configure the AWS CLI and Git for an AccountB user to access the repository in AccountA
](#cross-account-configure-credentials)
+ [
## Step 2: Clone and access the CodeCommit repository in AccountA
](#cross-account-clone-and-use)
## Step 1: Configure the AWS CLI and Git for an AccountB user to access the repository in AccountA
You cannot use SSH keys or Git credentials to access repositories in another Amazon Web Services account. AccountB users must configure their computers to use either **git-remote-codecommit** (recommended) or the credential helper to access the shared CodeCommit repository in AccountA. However, you can continue to use SSH keys or Git credentials when accessing repositories in AccountB.
Follow these steps to configure access using **git-remote-codecommit**. If you have not already installed **git-remote-codecommit**, download it from [https://pypi.org/project/git-remote-codecommit/](https://pypi.org/project/git-remote-codecommit/)on the Python Package Index website.
**To configure the AWS CLI and Git for cross-account access**
1. Install the AWS CLI on the local computer. See instructions for your operating system in [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
1. Install Git on the local computer. To install Git, we recommend websites such as [Git Downloads](http://git-scm.com/downloads) or [Git for Windows](http://msysgit.github.io/).
**Note**
CodeCommit supports Git versions 1.7.9 and later. Git version 2.28 supports configuring the branch name for initial commits. We recommend using a recent version of Git. Git is an evolving, regularly updated platform. Occasionally, a feature change might affect the way it works with CodeCommit. If you encounter issues with a specific version of Git and CodeCommit, review the information in [Troubleshooting](troubleshooting.md).
1. From the terminal or command line, at the directory location where you want to clone the repository, run the **git config --local user.name** and **git config --local user.email** commands to set the user name and email for the commits you will make to the repository. For example:
```
git config --local user.name "Saanvi Sarkar"
git config --local user.email saanvi_sarkar@example.com
```
These commands return nothing, but the email and user name you specify is associated with the commits you make to the repository in AccountA.
1. Run the **aws configure --profile** command to configure a default profile to use when connecting to resources in AccountB. When prompted, provide the access key and secret key for your IAM user.
**Note**
If you have already installed the AWS CLI and configured a profile, you can skip this step.
For example, run the following command to create a default AWS CLI profile that you use to access AWS resources in AccountB in US East (Ohio) (us-east-2):
```
aws configure
```
When prompted, provide the following information:
```
AWS Access Key ID [None]: Your-IAM-User-Access-Key
AWS Secret Access Key ID [None]: Your-IAM-User-Secret-Access-Key
Default region name ID [None]: us-east-2
Default output format [None]: json
```
1. Run the **aws configure --profile** command again to configure a named profile to use when connecting to the repository in AccountA. When prompted, provide the access key and secret key for your IAM user. For example, run the following command to create an AWS CLI profile named *MyCrossAccountAccessProfile* that you use to access a repository in AccountA in US East (Ohio) (us-east-2):
```
aws configure --profile MyCrossAccountAccessProfile
```
When prompted, provide the following information:
```
AWS Access Key ID [None]: Your-IAM-User-Access-Key
AWS Secret Access Key ID [None]: Your-IAM-User-Secret-Access-Key
Default region name ID [None]: us-east-2
Default output format [None]: json
```
1. In a plain-text editor, open the `config` file, also known as the AWS CLI configuration file. Depending on your operating system, this file might be located at `~/.aws/config` on Linux, macOS, or Unix, or at *drive*:\$1Users\$1*USERNAME*\$1.aws\$1config on Windows.
1. In the file, find the entry that corresponds to the default profile you configured for access to repositories in AccountB. It should look similar to the following:
```
[default]
region = us-east-2
output = json
```
Add `account` to the profile configuration. Provide the AWS account ID of AccountB. For example:
```
[default]
account = 888888888888
region = us-east-2
output = json
```
1. In the file, find the entry that corresponds to the *MyCrossAccountAccessProfile* profile you just created. It should look similar to the following:
```
[profile MyCrossAccountAccessProfile]
region = us-east-2
output = json
```
Add `account`, `role_arn` and `source_profile` to the profile configuration. Provide the Amazon Web Services account ID of AccountA, the ARN of the role in AccountA that you assume to access the repository in the other account, and the name of your default AWS CLI profile in AccountB. For example:
```
[profile MyCrossAccountAccessProfile]
region = us-east-2
account = 111122223333
role_arn = arn:aws:iam::111122223333:role/MyCrossAccountRepositoryContributorRole
source_profile = default
output = json
```
Save your changes, and close the plain-text editor.
## Step 2: Clone and access the CodeCommit repository in AccountA
Run **git clone**, **git push**, and **git pull** to clone, push to, and pull from, the cross-account CodeCommit repository. You can also sign in to the AWS Management Console, switch roles, and use the CodeCommit console to interact with the repository in the other account.
**Note**
Depending on how the IAM role was configured, you might be able to view repositories on the default page for CodeCommit. If you cannot view the repositories, ask the repository administrator to email you a URL link to the **Code** page for the shared repository in the CodeCommit console. The URL is similar to the following:
```
https://console.aws.amazon.com/codecommit/home?region=us-east-2#/repository/MySharedDemoRepo/browse/HEAD/--/
```
**To clone the cross-account repository to your local computer**
1. At the command line or terminal, in the directory where you want to clone the repository, run the **git clone** command with the HTTPS (GRC) clone URL. For example:
```
git clone codecommit://MyCrossAccountAccessProfile@MySharedDemoRepo
```
Unless you specify otherwise, the repository is cloned into a subdirectory with the same name as the repository.
1. Change directories to the cloned repository, and either add or make a change to a file. For example, you can add a file named *NewFile.txt*.
1. Add the file to the tracked changes for the local repo, commit the change, and push the file to the CodeCommit repository. For example:
```
git add NewFile.txt
git commit -m "Added a file to test cross-account access to this repository"
git push
```
For more information, see [Getting started with Git and AWS CodeCommit](getting-started.md).
Now that you've added a file, go to the CodeCommit console to view your commit, review other users' changes to the repo, participate in pull requests, and more.
**To access the cross-account repository in the CodeCommit console**
1. Sign in to the AWS Management Console in AccountB (*888888888888*) as the IAM user who has been granted cross-account access to the repository in AccountA.
1. Choose your user name on the navigation bar, and in the drop-down list, choose **Switch Role**.
**Note**
If this is the first time you have selected this option, review the information on the page, and then choose **Switch Role** again.
1. On the **Switch Role** page, do the following:
+ In **Account**, enter the account ID for AccountA ( for example, *111122223333*).
+ In **Role**, enter the name of the role you want to assume for access to the repository in AccountA (for example, *MyCrossAccountRepositoryContributorRole*).
+ In **Display Name**, enter a friendly name for this role. This name appears in the console when you are assuming this role. It also appears in the list of assumed roles the next time you want to switch roles in the console.
+ (Optional) In **Color**, choose a color label for the display name.
+ Choose **Switch Role**.
For more information, see [Switching to a Role (AWS Management Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html).
1. Open the CodeCommit console at [https://console.aws.amazon.com/codesuite/codecommit/home](https://console.aws.amazon.com/codesuite/codecommit/home).
If the assumed role has permission to view the names of repositories in AccountA, you see a list of repositories and an error message that informs you that you do not have permissions to view their status. This is expected behavior. Choose the name of the shared repository from the list.
If the assumed role does not have permission to view the names of repositories in AccountA, you see an error message and a blank list with no repositories. Paste the URL link to the repository or modify the console link and change `/list` to the name of the shared repository (for example, `/MySharedDemoRepo`).
1. In **Code**, find the name of the file you added from your local computer. Choose it to browse the code in the file, and then browse the rest of the repository and start using its features.
For more information, see [Getting started with AWS CodeCommit](getting-started-cc.md).