Skip to content

feat(prefect-aws): Add AWS CodeCommit git credential support #19836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bdalpe wants to merge 5 commits into from
Closed

feat(prefect-aws): Add AWS CodeCommit git credential support #19836

bdalpe wants to merge 5 commits into from

Conversation

@bdalpe
Copy link
Contributor

@bdalpe bdalpe commented Dec 17, 2025

Summary

Adds support for authenticating Git operations with AWS CodeCommit using SigV4 signing. Introduces a new AwsCodeCommitCredentials block that generates authenticated Git URLs for CodeCommit repositories.

Changes

  • New AwsCodeCommitCredentials block (src/integrations/prefect-aws/prefect_aws/credentials.py)

    • Uses SigV4 signing to generate authenticated Git URLs
    • Extracts region and repository info from CodeCommit URLs
    • Supports temporary credentials (session tokens)
    • Provides a format_git_credentials() method that returns a fully authenticated URL
    • Includes a get_client() method for authenticated CodeCommit client access

  • Test coverage (src/integrations/prefect-aws/tests/test_credentials.py)

    • Tests for basic credential formatting with SigV4 signatures
    • Tests for session token support
    • Tests for instance role credentials
    • Tests for error handling when credentials are missing

  • Module exports (src/integrations/prefect-aws/prefect_aws/__init__.py)

    • Exports AwsCodeCommitCredentials in the public API

Usage

The credentials block can be used in Prefect deployment configurations:

pull:
    - prefect.deployments.steps.git_clone:
        repository: https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo
        credentials: "{{ prefect.blocks.aws-codecommit-credentials.my-codecommit-credentials-block }}"

Technical Details

The implementation uses botocore's SigV4Auth to sign Git requests to CodeCommit. The signature is embedded in the Git URL format: https://{username}:{signature}@git-codecommit.{region}.amazonaws.com/v1/repos/{repository} where the username contains the AWS access key (and optional session token), and the signature is a SigV4 signature generated for the Git operation.

Resolves #19832

Checklist

  • This pull request references any related issue by including "closes <link to issue>"
    • If no issue exists and your change is not a small fix, please create an issue first.
  • If this pull request adds new functionality, it includes unit tests that cover the changes
  • If this pull request removes docs files, it includes redirect settings in mint.json.
  • If this pull request adds functions or classes, it includes helpful docstrings.

@github-actions github-actions bot added the enhancement An improvement of an existing feature label Dec 17, 2025
@bdalpe bdalpe added the integrations Related to integrations with other services label Dec 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 31, 2025

This pull request is stale because it has been open 14 days with no activity. To keep this pull request open remove stale label or comment.

@bdalpe bdalpe closed this Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cicdw cicdw Awaiting requested review from cicdw cicdw will be requested when the pull request is marked ready for review cicdw is a code owner

@desertaxle desertaxle Awaiting requested review from desertaxle desertaxle will be requested when the pull request is marked ready for review desertaxle is a code owner

@zzstoatzz zzstoatzz Awaiting requested review from zzstoatzz zzstoatzz will be requested when the pull request is marked ready for review zzstoatzz is a code owner

@chrisguidry chrisguidry Awaiting requested review from chrisguidry chrisguidry will be requested when the pull request is marked ready for review chrisguidry is a code owner

Assignees

No one assigned

Labels

enhancement An improvement of an existing feature integrations Related to integrations with other services status:stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add AWS CodeCommit git authentication support

2 participants

@bdalpe