[SOLVED] AWS CodeCommit & Git on OSX fatal: unable to access / returned error: 403

Symptom: You had setup AWS CLI tools with AWS CodeCommit included and integrated it all to Git using the credential.helper config line. All was working correctly, then you tried to clone or push and got an error similar to:

fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/YOUR_REPO/': The requested URL returned error: 403  

This one is an OSX exclusive, and it all has to do with the infamous keychain.

Paranoid devops monkeys over at Amazon AWS decided a while ago that the safest way to handle credentials over HTTPS is to reset the user's password every so often.

Normally not a problem since you as a user don't even keep track of the password which is actually automagically fetched by the CLI tools every time you try to access HTTPS resources.

It is a problem for OSX users, though, since the password is cached by keychain.


There's three real solutions to this problem...

Solution 1 (Quick):

Fire up the terminal and run security delete-internet-password -l git-codecommit.us-east-1.amazonaws.com

Doesn't get any easier than that. But it is not a permanent solution, now the clock is ticking down to the next password reset done on AWS.

Solution 2 (Better/Permanent):

As per Amazon Docs:

  1. Open the Keychain Access utility. (You can use Finder to locate it.)

  2. Search for git-codecommit.us-east-1.amazonaws.com. Highlight the row, open the context menu or right-click it, and then choose Get Info.

  3. Choose the Access Control tab.

  4. In Always allow access by these applications, choose git-credential-osxkeychain, and then choose the minus sign to remove it from the list.

Solution 3 (Best):

Install a version of Git that does not use the keychain by default.

Bonus Solution (Cop-out):

More like avoiding the problem altogether, just use SSH.


Show Comments