AWS Developer Tools & CI/CD
CodeCommit
Managed private Git repositories with full integration with AWS services
AWS CodeCommit is a fully managed, private Git repository service that eliminates the need to run your own source control infrastructure. It integrates natively with IAM for fine-grained access control and with other AWS developer tools, making it a natural fit for teams already invested in the AWS ecosystem.
How CodeCommit Works
CodeCommit stores your Git repositories in AWS-managed infrastructure with high availability across multiple Availability Zones. You interact with it using standard Git commands - the only difference from GitHub or Bitbucket is authentication.
Two authentication methods are supported:
| Method | How It Works | Best For |
|---|---|---|
| HTTPS + Git credentials | IAM user generates static username/password for Git | CI/CD pipelines, individual developers |
| SSH | Upload public key to IAM user profile | Developer workstations |
| HTTPS (GRC) | git-remote-codecommit helper uses temporary credentials | Federated users, assumed roles, SSO |
| IAM roles | EC2/Lambda instance profiles or assumed roles via GRC | Automated pipelines, cross-account access |
Federated users (SSO, SAML) cannot generate static Git credentials. They must use git-remote-codecommit (GRC) which wraps temporary STS credentials. Install with: pip install git-remote-codecommit
# Clone using GRC (works with assumed roles and SSO)
git clone codecommit::ap-south-1://my-repo
# Clone using HTTPS credentials
git clone https://git-codecommit.ap-south-1.amazonaws.com/v1/repos/my-repo
# Clone using SSH
git clone ssh://git-codecommit.ap-south-1.amazonaws.com/v1/repos/my-repoIAM Access Control for Repositories
CodeCommit has no concept of repository-level users or teams - all access is controlled through IAM. This is a fundamental difference from GitHub and requires understanding IAM policy conditions.
| IAM Action | What It Allows |
|---|---|
| codecommit:GitPull | Clone and fetch from a repository |
| codecommit:GitPush | Push commits and branches |
| codecommit:CreateBranch | Create new branches |
| codecommit:DeleteBranch | Delete branches (restrict this!) |
| codecommit:PutFile | Upload files via console |
| codecommit:GetBranch | Describe branch metadata |
| codecommit:CreatePullRequest | Open pull requests |
| codecommit:MergeBranchesByFastForward | Merge via fast-forward |
To restrict push to a specific branch (e.g., protect main), use a Deny policy with a condition:
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergeBranchesByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-1:123456789:my-repo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": ["refs/heads/main"]
},
"Null": {
"codecommit:References": "false"
}
}
}CodeCommit does not support required reviewers or mandatory CI checks at the repository level. Branch protection policies are implemented entirely through IAM Deny statements, which can be confusing to manage at scale.
Notifications, Triggers, and Approval Rules
CodeCommit supports three event-driven mechanisms that are often confused in interviews:
| Mechanism | Trigger Source | Targets | Use Case |
|---|---|---|---|
| Notifications | Repository events via EventBridge | SNS only | Email/Slack alerts on PR activity |
| Triggers | Repository events (direct) | SNS or Lambda | Custom automation on push/branch creation |
| EventBridge rules | CodeCommit events via EventBridge | Lambda, SQS, CodePipeline, etc. | Complex automation, cross-account |
Approval rule templates let you enforce pull request review requirements across multiple repositories. You can require N approvals and restrict who counts as an approver using IAM ARN patterns.
Approval rule templates are applied at the repository level and evaluated per pull request. They do not retroactively apply to open PRs when modified. Always test rule changes on a new PR.
CodeCommit vs GitHub vs GitLab in AWS Pipelines
CodeCommit is often compared to GitHub and GitLab. For pure AWS workloads, the key consideration is how well each integrates with CodePipeline, CodeBuild, and IAM.
| Factor | CodeCommit | GitHub | GitLab |
|---|---|---|---|
| Auth with IAM | Native - no token management | OAuth app or PAT required | PAT or OAuth required |
| CodePipeline source | Native, no webhook setup | Requires CodeStar Connection | Requires CodeStar Connection |
| Cross-account access | IAM role assumption via GRC | PAT or GitHub App | PAT or GitLab App |
| PR features | Basic - no code owners file | Rich - CODEOWNERS, Actions | Rich - pipelines, MR features |
| Cost | Free up to 5 users, $1/user/mo after | Free tier available, paid plans | Free tier available, paid plans |
| Compliance/data residency | Data stays in your AWS account/region | GitHub.com cloud | GitLab.com or self-hosted |
AWS has announced that CodeCommit is no longer accepting new customers as of July 2024. Existing customers can continue using it, but new projects should evaluate GitHub, GitLab, or Bitbucket with CodeStar Connections.
Pricing Model
| Tier | Active Users | Storage | Git Requests |
|---|---|---|---|
| Free Tier | Up to 5 active users/month | 50 GB total | 10,000 Git requests/month |
| Paid | $1.00 per additional active user/month | $0.06/GB/month over 10 GB/user | $0.001 per additional Git request |
An "active user" is any unique AWS identity that makes at least one Git request or API call in a calendar month. Service roles used by CodePipeline or CodeBuild count as active users.
CI/CD pipelines running on every commit can quickly accumulate Git request charges because the CodePipeline source action counts as a Git request. Monitor usage in Cost Explorer under the CodeCommit service.
Interview Focus Points
- 1How does CodeCommit authentication work for federated users who cannot get IAM credentials?
- 2How do you protect the main branch in CodeCommit from direct pushes?
- 3What is the difference between CodeCommit triggers, notifications, and EventBridge rules?
- 4How does CodeCommit pricing work - what counts as an active user?
- 5How would you set up cross-account access to a CodeCommit repository?
- 6Why might a team choose GitHub over CodeCommit even when running entirely on AWS?
- 7What are CodeCommit approval rule templates and what are their limitations?
- 8How does git-remote-codecommit differ from standard HTTPS credentials?