AWS DevOps Blog

Integrating AWS OpsWorks and AWS CodeCommit

Take advantage of CodeCommit as a repository for OpsWorks now!

AWS OpsWorks (OpsWorks) can automatically fetch the Apps and Chef cookbooks from Git repositories, among other sources. This post shows how AWS OpsWorks can use the new Git-based repository service, AWS CodeCommit (CodeCommit), to fetch and deploy an application stored in an CodeCommit repository.  

Unlike other Git-based services, CodeCommit uses AWS Identity and Access Management (IAM) users, groups and their policies to allow access to the repositories. To connect to CodeCommit, you need an IAM user with the required CodeCommit access permissions (like public SSH key and IAM policies). After you’ve done that, you simply create and deploy your app using OpsWorks.

Step 1: Set up an IAM user and SSH keys

Begin by creating an IAM user and attaching a policy to grant the user access to CodeCommit.

  • In the IAM console, choose User, and then choose Create new users. On the Create new users page, in the Enter User Name field, type codecommit_deploy, for this example, and then choose Create.
  • Attach a policy to grant the user access to CodeCommit. The built-in IAM policy, AWSCodeCommitReadOnly, is sufficient for deployment purposes. In this example, codecommit_deploy is the IAM user. For more information, see Setting Up for AWS CodeCommit.
  • Create an SSH key pair on your local machine (for example, by using ssh-keygen), making sure there is no password or passphrase for the key pair. In this example, ~/.ssh/codecommit_id_rsa is the private SSH key. ~/.ssh/ is the public SSH key. For more information, see the Setting Up for SSH Connection.
  • Use the IAM console or AWS CLI to upload the SSH public key (~/.ssh/ to the codecommit_deploy user. If you use the CLI, the CLI user must have an IAM policy with the IAM:UploadSSHPublicKey action set to Allow. For example:
"Sid": "Stmt1439339776000",
"Effect": "Allow",
"Action": [
"Resource": [
  • If you use the console, navigate to Users, choose codecommit_deploy, and then scroll down to SSH keys for AWS CodeCommit. Choose Upload SSH Key and copy and paste the contents of the public SSH key ~/.ssh/
  • Make a note of the SSH key ID, which is like a user name and is required to access the CodeCommit repository. In this example, the SSH key ID is APKAJN47QZ7VONJX7A3Q.
  • (Optional) Test the SSH credentials on your local machine.
$ cat ~/.ssh/config 
Host git-codecommit.*
   IdentityFile ~/.ssh/codecommit_id_rsa

$ ssh
You have successfully authenticated over SSH. You can use Git to interact with AWS CodeCommit. Interactive shells are not supported.Connection to closed by remote host. Connection to

Step 2: Create and deploy an OpsWorks app

Now, create your app and deploy it:

  • In the OpsWorks console, choose the stack, then Apps, either add a new app or edit an existing app, and for Application Source, choose Git.
  • For Repository URL, type ssh://, where the SSH URL is obtained from the CodeCommit console and APKAJN47QZ7VONJX7A3Q is your own SSH key ID (created during step 1).
  • Under Repository SSH key, add the contents of the private SSH key file i.e. ~/.ssh/codecommit_id_rsa, in this case.
  • Add the app, and then deploy it as usual!

Step 3: Verify the Deployment

Check the OpsWorks deployment logs. If you see something similar to the following, your deployment succeeded:

[2015-07-29T04:29:40+00:00] INFO: deploy[/srv/www/myapp] cloning repo ssh:// to /srv/www/myapp/shared/cached-copy

[2015-07-29T04:29:46+00:00] INFO: deploy[/srv/www/myapp] checked out branch: HEAD onto: deploy reference: 0a76794607c4a26369be3fdd855acd590c3be7bb


By following these instructions, you should be able to deploy OpsWorks apps or cookbooks from an CodeCommit repository. The AWS CodeCommit team is working to improve its integration with other AWS services. Stay tuned for updates!