Skip to content

feat: AWS CodeCommit support#2035

Open
taraspos wants to merge 1 commit intofluxcd:mainfrom
taraspos:taras/aws-codecommit
Open

feat: AWS CodeCommit support#2035
taraspos wants to merge 1 commit intofluxcd:mainfrom
taraspos:taras/aws-codecommit

Conversation

@taraspos
Copy link
Copy Markdown

@taraspos taraspos commented Apr 20, 2026

Summary

Add support of AWS CodeCommit with IAM role auth (fluxcd/pkg#1142).

As part of:

@taraspos taraspos marked this pull request as ready for review April 20, 2026 11:08
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @taraspos!

Please test this PR e2e with a real AWS account and post here some evidence 🙏

For a complete guide on how to set up authentication for cloud providers,
see the integration [docs](/flux/integrations/).

#### AWS
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section needs a bit more color like the Azure one. Doesn't need too much detail, though, as those docs should be mostly pointing at https://fluxcd.io/flux/integrations/ by now

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taraspos I don't see any pointers to the integrations docs

Copy link
Copy Markdown
Author

@taraspos taraspos Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, sorry. Had to switch to something else and didn't finish the doc. Just push updated and simplified version.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matheuscscp I didn't have a chance to test object level workload identity yet.
I will try to find time to do so tomorrow, and then we can merge this.

Comment thread internal/controller/gitrepository_controller.go
@taraspos
Copy link
Copy Markdown
Author

Testing steps

  1. Created AWS EKS Pod Identity for namespace=flux-system and serviceaccount=source-controller and permissions:

    {
        "Statement": [
            {
                "Action": "codecommit:GitPull",
                "Effect": "Allow",
                "Resource": "arn:aws:codecommit:us-east-1:*:taras-test-123",
                "Sid": "CodeCommitPullAccess"
            }
        ],
        "Version": "2012-10-17"
    }
  2. Updated source-controller pod to use image built from this PR and pick up pod identity settings (in us-west-2)

  3. Created CodeCommit new repository taras-test-123 (in us-east-1)

  4. Created new GitRepository object

    apiVersion: source.toolkit.fluxcd.io/v1
    kind: GitRepository
    metadata:
      name: taras-test-123
      namespace: flux-system
    spec:
      interval: 1m0s
      ref:
        branch: main
      timeout: 60s
      url: https://git-codecommit.us-east-1.amazonaws.com/v1/repos/taras-test-123
      provider: aws
  5. Check repo object - success ✅

    ➜  k -n flux-system get gitrepositories.source.toolkit.fluxcd.io
    NAME             URL                                                                           AGE     READY   STATUS
    taras-test-123   https://git-codecommit.us-east-1.amazonaws.com/v1/repos/taras-test-123        82s     True    stored artifact for revision 'main@sha1:3e1f9032f6b6b9b77bf79d1bc5be93147d987873'
    
  6. Check CloudTrail event - success ✅

    {
        "eventVersion": "1.11",
        "userIdentity": {
            "type": "AssumedRole",
            "principalId": "redacted",
            "arn": "redacted",
            "accountId": "123456789012",
            "accessKeyId": "redacted",
            "sessionContext": {
                "sessionIssuer": {
                    "type": "Role",
                    "principalId": "redacted",
                    "arn": "redacted",
                    "accountId": "123456789012",
                    "userName": "redacted"
                },
                "attributes": {
                    "creationDate": "2026-04-20T12:14:47Z",
                    "mfaAuthenticated": "false"
                }
            }
        },
        "eventTime": "2026-04-20T12:44:01Z",
        "eventSource": "codecommit.amazonaws.com",
        "eventName": "GitPull",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "redacted",
        "userAgent": "go-git/5.x",
        "requestParameters": null,
        "responseElements": null,
        "additionalEventData": {
            "protocol": "HTTP",
            "dataTransferred": false,
            "repositoryName": "taras-test-123",
            "repositoryId": "redacted"
        },
        "requestID": "redacted",
        "eventID": "redacted",
        "readOnly": true,
        "resources": [
            {
                "accountId": "123456789012",
                "type": "AWS::CodeCommit::Repository",
                "ARN": "arn:aws:codecommit:us-east-1:123456789012:taras-test-123"
            }
        ],
        "eventType": "AwsApiCall",
        "managementEvent": true,
        "recipientAccountId": "123456789012",
        "eventCategory": "Management"
    }

@matheuscscp
Copy link
Copy Markdown
Member

matheuscscp commented Apr 20, 2026

@taraspos Thanks for testing!

The CI is failing, pls take a look. One is failing due to code generation (you need to run make api-docs generate manifests), the other seems a genuine failure

@taraspos taraspos force-pushed the taras/aws-codecommit branch 4 times, most recently from 2d16001 to 7ec5c01 Compare April 21, 2026 11:18
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taraspos Please update the docs to point to the integrations page.

We also need a PR here:

https://github.com/fluxcd/website/blob/main/content/en/flux/integrations/aws.md?plain=1

Will merge this one after we have the PR for website ready and also a similar PR for image-automation-controller

For a complete guide on how to set up authentication for cloud providers,
see the integration [docs](/flux/integrations/).

#### AWS
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taraspos I don't see any pointers to the integrations docs

@taraspos taraspos force-pushed the taras/aws-codecommit branch 2 times, most recently from 6afeb03 to 5f4b135 Compare April 21, 2026 13:22
Signed-off-by: Taras <9948629+taraspos@users.noreply.github.com>
@taraspos taraspos force-pushed the taras/aws-codecommit branch from 5f4b135 to cbf3816 Compare April 21, 2026 13:25
@taraspos
Copy link
Copy Markdown
Author

taraspos commented Apr 23, 2026

Confirmed that object-level workload identity works via IRSA. Testing steps are the same as above (#2035 (comment)), with following differences:

  1. Add --feature-gates=ObjectLevelWorkloadIdentity=true to source-controller args

  2. Create IRSA-compatible IAM role

  3. Create Service Account like:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::12456789012:role/fluxcd-test-workload-irsa
      name: aws-workload-identity-sa
      namespace: flux-system
  4. Create GitRepository like:

    apiVersion: source.toolkit.fluxcd.io/v1
    kind: GitRepository
    metadata:
      name: taras-test-123-sa
      namespace: flux-system
    spec:
      interval: 1m0s
      ref:
        branch: main
      timeout: 60s
      url: https://git-codecommit.us-east-1.amazonaws.com/v1/repos/taras-test-123
      provider: aws
      serviceAccountName: aws-workload-identity-sa
  5. Success ✅


##### Configure Flux controller

1. Configure authentication using your preferred method - https://fluxcd.io/flux/integrations/aws/#authentication.
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Configure authentication using your preferred method - https://fluxcd.io/flux/integrations/aws/#authentication.
1. Configure authentication using your preferred [method](https://fluxcd.io/flux/integrations/aws/#authentication).


1. Configure authentication using your preferred method - https://fluxcd.io/flux/integrations/aws/#authentication.

Example IAM role policy:
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Example IAM role policy:
Example IAM role policy (see [docs](https://fluxcd.io/flux/integrations/aws/#for-amazon-codecommit) for more details):

Comment on lines +310 to +311
provider: aws
url: https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository-name>
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
provider: aws
url: https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository-name>
provider: aws
serviceAccountName: my-tenant # optional (used for object-level workload identity)
url: https://git-codecommit.<region>.amazonaws.com/v1/repos/<repository-name>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants