AWS CodeCommit

AWS CodeCommit is a managed service that hosts private Git repositories for you. Git is the version control system most developers use to track changes to source code, and a “repository” (or “repo”) is a single project’s worth of that history. CodeCommit lets you push and pull code just like GitHub or GitLab, but the repos live inside your AWS account and access is controlled by IAM (Identity and Access Management, AWS’s permission system). That tight integration is its main selling point, but as you’ll see below, for new projects in 2026 it’s usually no longer the best choice.

What CodeCommit actually is

A CodeCommit repository is a standard Git repo with a remote URL hosted by AWS. You clone it, commit to it, and push to it using the normal git commands. There are no servers to run or storage to size, and AWS encrypts everything at rest automatically. Because access is governed by IAM rather than a separate username/password system, you manage who can read or write code using the same policies you already use for the rest of AWS.

CodeCommit fits into the broader AWS CI/CD (Continuous Integration / Continuous Delivery, the practice of automatically building and shipping code) suite. A typical flow is: CodeCommit holds the source, CodePipeline detects a push and orchestrates the release, CodeBuild compiles and tests it, and CodeDeploy ships it to servers.

Important (2026): AWS has effectively stopped onboarding new customers to CodeCommit. If your AWS account never used it before, you generally cannot create new repositories. Existing customers can keep using it. For greenfield projects, integrate CodePipeline with GitHub or GitLab instead — it’s the better-supported, more actively developed path.

When to use this (and when not to)

Situation	Use CodeCommit?
Existing repos already in CodeCommit	Yes — keep them; migration has a cost
Strict data-residency / regulated workload needing code inside your AWS account	Yes, if your account already has access
Brand-new project, new AWS account	No — use GitHub/GitLab with CodePipeline
Team wants pull requests, code review, large community tooling	No — GitHub/GitLab are far richer
You want everything governed by one IAM policy set	CodeCommit’s strength, if available

For most teams starting fresh, connect CodePipeline to GitHub via an AWS CodeStar Connection (a managed link between AWS and your Git host). You get GitHub’s ecosystem and AWS’s pipeline automation together.

Authenticating to a CodeCommit repo

CodeCommit does not use a single password. You pick one of two methods, and both are tied to an IAM user or role.

Option 1 — HTTPS Git credentials

AWS generates a dedicated username and password used only for Git over HTTPS. This is the simplest method and works well on locked-down corporate networks where SSH ports may be blocked.

Console steps:

1. Open the IAM console and choose Users, then your user.
2. Go to the Security credentials tab.
3. Scroll to HTTPS Git credentials for AWS CodeCommit and click Generate credentials.
4. Download or copy the username and password — the password is shown only once.
5. Clone using the HTTPS URL; Git will prompt for those credentials and cache them.

CLI equivalent (the credential itself is created via IAM):

aws iam create-service-specific-credential \
  --user-name dev-jane \
  --service-name codecommit.amazonaws.com

Output:

{
    "ServiceSpecificCredential": {
        "CreateDate": "2026-06-15T10:22:41+00:00",
        "ServiceName": "codecommit.amazonaws.com",
        "ServiceUserName": "dev-jane-at-123456789012",
        "ServicePassword": "Abc123Examp1ePassw0rd=",
        "ServiceSpecificCredentialId": "ACCA1234567890EXAMPLE",
        "UserName": "dev-jane",
        "Status": "Active"
    }
}

Then clone:

git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/payments-api

Option 2 — SSH keys

You upload your public SSH key to IAM and Git authenticates with the matching private key. No password prompts after setup.

1. Generate a key pair locally: ssh-keygen -t rsa -b 4096.
2. In IAM > Users > your user > Security credentials, find SSH keys for AWS CodeCommit and click Upload SSH public key.
3. Paste the contents of your .pub file and save. IAM returns an SSH Key ID (e.g. APKAEIBAERJR2EXAMPLE).
4. Add a host entry in ~/.ssh/config mapping the key ID as the SSH user.

CLI to upload the key:

aws iam upload-ssh-public-key \
  --user-name dev-jane \
  --ssh-public-key-body file://~/.ssh/id_rsa.pub

Clone using the SSH URL and your key ID as the username:

git clone ssh://[email protected]/v1/repos/payments-api

Tip: A third option is the git-remote-codecommit helper (a pip-installable tool) that authenticates with your normal AWS CLI credentials and temporary role sessions — ideal if you assume IAM roles instead of using long-lived IAM users.

Creating a repository

If your account still has access, you can create a repo in seconds.

Console steps:

1. Open the CodeCommit console and choose Create repository.
2. Enter a Repository name (e.g. payments-api) and an optional description.
3. Click Create. The console shows the HTTPS and SSH clone URLs.

CLI equivalent:

aws codecommit create-repository \
  --repository-name payments-api \
  --repository-description "Payments service source code"

Output:

{
    "repositoryMetadata": {
        "repositoryName": "payments-api",
        "repositoryId": "f7579e13-b83e-4027-aaef-650c0EXAMPLE",
        "cloneUrlHttp": "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/payments-api",
        "cloneUrlSsh": "ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/payments-api",
        "Arn": "arn:aws:codecommit:us-east-1:123456789012:payments-api"
    }
}

You can also define a repo as infrastructure-as-code so it’s version-controlled and repeatable:

Resources:
  PaymentsRepo:
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: payments-api
      RepositoryDescription: Payments service source code

Controlling access with IAM

Because there is no separate permission system, you grant access with IAM policies. The example below lets a user pull and push to one specific repo only.

aws iam put-user-policy \
  --user-name dev-jane \
  --policy-name PaymentsRepoAccess \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": ["codecommit:GitPull", "codecommit:GitPush"],
      "Resource": "arn:aws:codecommit:us-east-1:123456789012:payments-api"
    }]
  }'

AWS provides managed policies too: AWSCodeCommitPowerUser for day-to-day work and AWSCodeCommitReadOnly for auditors.

Cost

CodeCommit pricing is modest: the first 5 active users per month are free, and additional active users are about $1 each per month, including a generous storage and request allowance. The bigger “cost” is strategic — building on a service AWS is winding down can mean a painful migration later, so weigh that against any short-term savings.

Best Practices

• Prefer roles over long-lived IAM users — use git-remote-codecommit with short-term credentials so no static passwords sit on laptops.
• Scope IAM policies to individual repository ARNs, never blanket codecommit:* on *.
• Trigger CodePipeline automatically on push so every commit is built and tested consistently.
• Enable branch protection via IAM conditions (e.g. deny GitPush to main for non-leads) since CodeCommit has no built-in protected-branch UI.
• For any new project, start on GitHub/GitLab with a CodeStar Connection rather than CodeCommit.
• Keep an exportable backup mirror of important repos so you’re never locked into a single host.

Related Topics

• CodePipeline
• CodeBuild
• CodeDeploy
• Deployment options
• Deployment strategies