CodeCommit is Back! Verifying the Revived AWS CodeCommit with Kiro-CLI, Reconfirming the Convenience of IAM Authenticated Git
AWS CodeCommit, which was announced to be discontinued for new users in July 2025, has had this decision reversed today with an announcement of complete service continuation (return to GA).
The return of CodeCommit, which offers high compatibility with AWS environments and secure management through IAM authentication, is good news for many developers.
In this article, to commemorate this return, I verified how smoothly "credential-less Git operations with IAM authentication," one of CodeCommit's strengths, can be performed using AWS's AI agent tool "Kiro-CLI," based on actual behavior and logs.
Testing Environment and Prerequisites
I conducted this verification in the following environment:
- OS: Amazon Linux 2023
- Tool: Kiro-CLI 1.20.1
- Target Service: AWS CodeCommit
- Authentication Method:
aws login(Standard browser authentication in AWS CLI v2)
For building the test environment and installing Kiro-CLI, I followed the procedures in the article below:
1. Obtaining AWS Authentication (Browser Authentication)
First, I authenticated with AWS from within the Kiro-CLI interactive session.
The biggest advantage of using CodeCommit is the ability to perform simple operations using only temporary AWS CLI authentication credentials (IAM roles) without managing SSH keys or fixed Git passwords.
aws login
Here, I used the aws login command added in AWS CLI v2.32.0 to start a secure session.
Command Executed
!aws login
Execution Log
After browser authentication, the terminal profile was updated.
Attempting to open your default browser.
If the browser does not open, open the following URL:
https://ap-northeast-1.signin.aws.amazon.com/v1/authorize?response_type=code&client_id=arn%3Aaws%3Asignin%3A%3A%3Adevtools%2Fsame-device... (omitted) ...
Profile default is already configured to use session ...
Do you want to overwrite it ...? (y/n): y
Updated profile default to use arn:aws:sts::123456789012:assumed-role/cm-user/cm-user credentials.
I confirmed that the AI agent correctly recognized the updated authentication information.
Prompt
Check the current AWS account information.
Execution Log
Running aws cli command (using tool: aws):
Service name: sts
Operation name: get-caller-identity
Parameters:
Region: us-east-1
{
"UserId": "AROAYQNJSKC6XXXXXXXXX:cm-user",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/cm-user/cm-user"
}
I confirmed access with the intended IAM role.
2. Creating a CodeCommit Repository
I instructed the creation of a private repository in the Tokyo region.
Prompt
Create a private CodeCommit repository named "sample-repo-demo" in the Tokyo region.
Execution Log
The AI executed aws codecommit create-repository.
Running aws cli command (using tool: aws):
Service name: codecommit
Operation name: create-repository
Parameters:
- repositoryDescription: "Sample repository for demo"
- repositoryName: "sample-repo-demo"
Region: ap-northeast-1
# Results (excerpt)
# - RepositoryName: sample-repo-demo
# - RepositoryId: ff82b310-xxxx-xxxx-xxxx-91b36111cca0
# - CloneUrlHttp: https://git-codecommit.ap-northeast-1.amazonaws.com/v1/repos/sample-repo-demo
I confirmed that the repository was created and an HTTPS clone URL was issued.
3. Secure Cloning with Credential Helper
This is where CodeCommit truly shines.
I asked the AI to set up Git authentication using only AWS CLI functionality, without creating or registering SSH key pairs.
Prompt
Set up the AWS CLI credential helper and clone the repository we just created.
Execution Log
The AI configured the credential-helper and performed the clone operation in sequence.
# Credential Helper Configuration (important part)
git config --global credential.helper '!aws codecommit credential-helper $@' && git config --global credential.UseHttpPath true
# Clone Execution
git clone https://git-codecommit.ap-northeast-1.amazonaws.com/v1/repos/sample-repo-demo
# Output
Cloning into 'sample-repo-demo'...
warning: You appear to have cloned an empty repository.
By injecting !aws codecommit credential-helper into the Git configuration, transparent authentication using IAM permissions was achieved. No password input was required.
4. File Creation and Git Initial Setup
As preparation for repository operations, I created a README and configured committer information.
Prompt
Create an initial README.md template and configure Git user information.
Execution Log
# Creating README.md (generated using write tool)
Creating: /home/user/work/sample-repo-demo/README.md
# Git config settings
git config user.email "user@example.com" && git config user.name "cm-user"
5. Branch Creation and Push
I created a development branch (dev) and pushed it to the remote.
Prompt
Commit the changes and push them to the remote as a dev branch.
Execution Log
# Commit
[dev (root-commit) 61b9601] Add initial README.md
# Push
git push -u origin dev
# Result
To https://git-codecommit.ap-northeast-1.amazonaws.com/v1/repos/sample-repo-demo
* [new branch] dev -> dev
branch 'dev' set up to track 'origin/dev'.
With IAM authentication working behind the scenes, the push completed smoothly just like with normal Git commands.
6. Creating a Pull Request (PR)
An interesting behavior of Kiro-CLI was observed when instructing "Create a PR from Dev to Main" - it autonomously created the non-existent main branch.
Prompt
Create a pull request to merge the dev branch into the main branch.
Execution Log
The AI determined that the "main branch does not exist" and executed the following steps:
- Created the
mainbranch locally and pushed it - Returned to the
devbranch - Created a PR using CodeCommit API
# 1. Preparing the main branch (AI's autonomous complementary action)
git checkout -b main && git push -u origin main
# 2. Returning to working branch
git checkout dev
# 3. Creating PR (AWS CLI)
aws codecommit create-pull-request \
--targets repositoryName=sample-repo-demo,sourceReference=dev,destinationReference=main \
--title "Merge dev to main" \
--description "Initial README.md" \
--region ap-northeast-1
As a result, the following PR was successfully created:
- Pull Request ID: 1
- Status: OPEN
7. Merging the PR
Finally, I merged the created PR.
Prompt
Merge the created pull request.
Execution Log
Running aws cli command (using tool: aws):
Service name: codecommit
Operation name: merge-pull-request-by-fast-forward
Parameters:
- pull-request-id: "1"
- repository-name: "sample-repo-demo"
Region: ap-northeast-1
The log showed pullRequestStatus: CLOSED, confirming that the merge was completed.
Summary: Re-evaluating CodeCommit × IAM Authentication
Through this verification, I was able to reconfirm the convenience of the revived CodeCommit.
The following two points are major strengths unique to CodeCommit as an AWS native service:
-
IAM Authentication Without Token/Key Management
As shown by thegit config ... credential-helperin the log, there is no need to issue or manage SSH private keys or Personal Access Tokens for Git operations.
In this case, I was able to use temporary session information obtained through browser authentication with MFA protection viaaws logindirectly with the AI agent, minimizing the risk of credential leakage. -
High Compatibility with AI Agents
When operating from tools like Kiro-CLI, repository operations (creation, PR, merge) are immediately possible if an IAM role is granted.
Including context completion like "create a branch if it doesn't exist," it proved to be a powerful option for operation automation.
CodeCommit offers high compatibility with AWS environments and secure management through IAM authentication. I'm delighted that this service has returned as an option.
