AWSCI/CDCodeCommitGit

CodeCommit: The Source of Code for the Pipeline

K
Kai··5 min read
CI/CD on AWS with the Developer ToolsPart 3 of 16
PreviousFoundation: IAM Service Roles and the S3 Artifact BucketNextCodeBuild: Project, buildspec.yml, and the First Build

The foundation is done: a service role and an artifact bucket. Now for the first piece of the chain — the source of code. The pipeline has to get code from somewhere, and in this series that somewhere is CodeCommit: AWS's Git hosting service. This article creates the repo, connects Git to push, pushes a sample app, then walks through branches and pull requests — all with the AWS CLI and Git, never touching the console.

An honest note up front: AWS stopped onboarding new customers to CodeCommit in 2024, so if your account has never used CodeCommit you may not be able to create a repo. We use it here because it's the original source piece of the Code* suite and integrates most cleanly with CodeBuild/CodePipeline.

Goal

Be able to create a CodeCommit repo, connect Git safely (no separate password stored), push real code, and walk through the branch → pull request → merge flow with the CLI.

Create the repo

$ aws codecommit create-repository --repository-name awscicd-demo-app \
    --repository-description "Sample app for awscicd CI/CD series" \
    --region ap-southeast-1 \
    --query 'repositoryMetadata.[repositoryName,cloneUrlHttp]' --output text
awscicd-demo-app    https://git-codecommit.ap-southeast-1.amazonaws.com/v1/repos/awscicd-demo-app

The repo exists, along with an HTTPS clone URL. But pushing over that URL requires authentication, and this is the place worth pausing.

Connecting Git: git-remote-codecommit

CodeCommit has a few ways to authenticate Git. The old way is to create Git credentials (a username/password pair specific to CodeCommit) in IAM and enter them into Git. The currently recommended way is git-remote-codecommit (grc for short) — a Git extension that signs each request with the very AWS credentials you're already using. The docs state plainly: "unlike other HTTPS connection methods, git-remote-codecommit does not require setting up Git credentials for the user." There's no Git password to create, store, or leak — Git borrows your AWS identity directly.

   your machine: git push
        │  remote = codecommit::ap-southeast-1://awscicd-demo-app
        ▼
   git-remote-codecommit (grc)
        │  signs the request with AWS credentials (SigV4) — no Git username/password needed
        ▼
   CodeCommit  ──▶ IAM checks permission (codecommit:GitPush / GitPull)

Install grc (needs Python + pip):

$ pip install git-remote-codecommit

After installing, Git understands URLs of the form codecommit::<region>://<repo>. grc uses AWS credentials from the default profile, so no extra configuration is needed if the aws CLI already works.

Push the sample app

Create a minimal app — a static page; we'll add the buildspec and appspec in later articles:

$ mkdir awscicd-demo-app && cd awscicd-demo-app
$ cat > index.html <<'HTML'
<!doctype html>
<html lang="en">
  <head><meta charset="utf-8"><title>awscicd demo</title></head>
  <body><h1>Hello from the awscicd demo app — v1</h1></body>
</html>
HTML
$ git init -q -b main && git add -A && git commit -q -m "Initial commit: static demo app v1"

Point the remote at CodeCommit via grc, then push:

$ git remote add origin codecommit::ap-southeast-1://awscicd-demo-app
$ git push -u origin main
remote: Validating objects: 100%
To codecommit::ap-southeast-1://awscicd-demo-app
 * [new branch]      main -> main
branch 'main' set up to track 'origin/main'.

The push runs without asking for a password — grc signed with AWS credentials, IAM checked the codecommit:GitPush permission. The code is now on CodeCommit.

Branches and pull requests

CodeCommit fully supports a branch-based workflow and review via pull requests, all controllable from the CLI. Create a feature branch, edit, push:

$ git checkout -b feature/v2-heading
$ sed -i '' 's/v1/v2/' index.html
$ git commit -am "Update heading to v2"
$ git push origin feature/v2-heading

Open a pull request proposing to merge that branch into main:

$ aws codecommit create-pull-request --title "Bump heading to v2" \
    --description "Demo PR for the series" \
    --targets repositoryName=awscicd-demo-app,sourceReference=feature/v2-heading,destinationReference=main \
    --query 'pullRequest.[pullRequestId,pullRequestStatus,title]' --output text
1   OPEN    Bump heading to v2

PR number 1 is OPEN. In a real team this is when someone else reviews and comments; here we merge straight away with fast-forward:

$ aws codecommit merge-pull-request-by-fast-forward --pull-request-id 1 \
    --repository-name awscicd-demo-app \
    --query 'pullRequest.pullRequestStatus' --output text
CLOSED

The PR moves to CLOSED (merged). Verify that main now has the change, reading the file directly through the API without pulling it down:

$ aws codecommit get-file --repository-name awscicd-demo-app --file-path index.html \
    --query 'fileContent' --output text | base64 -d | grep -o 'v[0-9]'
v2

main is now v2. This is also an important point for later: the pipeline will listen on the main branch, so each time a PR is merged into main, the build–deploy chain starts automatically (we wire this up in Part V).

🧹 Cleanup

This repo is the code source for the whole series — the pipeline in later articles pulls code from here, so keep it until you're done. When you want to delete it (at the end of the series):

$ aws codecommit delete-repository --repository-name awscicd-demo-app

A CodeCommit repo falls within the free tier at small scale (5 active users, 50 GB), so keeping it across the articles costs almost nothing.

Wrap-up

CodeCommit is a private Git repo on AWS, integrated with IAM. The recommended way to connect Git is git-remote-codecommit: it signs requests with AWS credentials, so there's no separate Git password to create or store, and IAM checks the GitPush/GitPull permission. We created the repo, pushed a sample app, and walked the full branch → pull request → merge flow with the CLI, confirming main was updated. The code source is ready to serve as the starting point for the pipeline.

Part I closes with the foundation and source in place. Part II steps into the build stage: the next article creates a CodeBuild project, writes buildspec.yml, runs a real build against the code just pushed, and reads the log to see how each phase runs.

CI/CD on AWS with the Developer ToolsPart 3 of 16
PreviousFoundation: IAM Service Roles and the S3 Artifact BucketNextCodeBuild: Project, buildspec.yml, and the First Build

Related Posts

Capstone (2): The Complete Production Pi...
AWSCI/CD

Capstone (2): The Complete Production Pipeline

Closing the series: a pipeline that carries code from a CodeCommit commit, through build and test, through an approval gate, then blue/green deploys onto an Auto Scaling Group behind an ALB — running for real end-to-end, one commit becoming one zero-downtime production release. Then tearing everything down and wrapping up the whole series with a roadmap for what's next.

K
KaiMay 25, 2026
Capstone (1): Building the Target Infras...
AWSCI/CD

Capstone (1): Building the Target Infrastructure via CLI

Opening the capstone: assembling every piece of infrastructure we've learned into a production target environment for a complete pipeline. A launch template and Auto Scaling Group behind an Application Load Balancer, a blue/green deployment group with rollback — all via the AWS CLI. The next article wires up a pipeline that runs straight into this infrastructure.

K
KaiMay 25, 2026