auth/aws: AWS CodeCommit IAM authentication

[taraspos]

Summary

This PR implements IAM role based authentification for AWS CodeCommit Git HTTPS URLs

• Support AWS CodeCommit Access with IAM Role source-controller#1978
• CodeCommit specific request signing was implemented in v4/signer: add codecommit git signing options aws/smithy-go#628

Testing

• Verified locally that generated username and password works AWS CodeCommit repositories.
• Integration tests succeeding:

  --- PASS: TestGitCloneUsingProvider (25.85s)
      --- PASS: TestGitCloneUsingProvider/controller-level_workload_identity (12.20s)
      --- PASS: TestGitCloneUsingProvider/object-level_workload_identity_(impersonation) (13.65s)
      --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(direct_access) (0.00s)
      --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(impersonation,_federation) (0.00s)
      --- SKIP: TestGitCloneUsingProvider/object-level_workload_identity_(direct_access,_federation) (0.00s)
  

[matheuscscp]

@taraspos CI is failing, can you pls take a look?

[taraspos]

Seems like setup-envtest released a new version that depends on Go 1.26.0

go: sigs.k8s.io/controller-runtime/tools/setup-envtest@latest: sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20260331165415-bce0ec74ad73 requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)

Not related to my change, but I can raise a PR with a fix. Let me do it in a separate branch.

[matheuscscp]

Seems like setup-envtest released a new version that depends on Go 1.26.0

go: sigs.k8s.io/controller-runtime/tools/setup-envtest@latest: sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20260331165415-bce0ec74ad73 requires go >= 1.26.0 (running go 1.25.8; GOTOOLCHAIN=local)

Not related to my change, but I can raise a PR with a fix. Let me do it in a separate branch.

We just merged #1158, pls rebase and let's see if this gets fixed 🙏

[matheuscscp]

Started the review, will continue tomorrow 👌

[matheuscscp]

Integration tests are running:

• AWS: https://github.com/fluxcd/pkg/actions/runs/24345069351
• Azure: https://github.com/fluxcd/pkg/actions/runs/24345072243
• GCP: https://github.com/fluxcd/pkg/actions/runs/24345077077

[taraspos]

I just found that I forgot to add "codecommit:ListTagsForResource" to the readme, so it might fail because of that 🤔 (unless GHA role have more permissions than the documented ones)

[matheuscscp]

I suppose the fix you just pushed should fix this?

https://github.com/fluxcd/pkg/actions/runs/24345069351/job/71083589019

[taraspos]

I suppose the fix you just pushed should fix this?

https://github.com/fluxcd/pkg/actions/runs/24345069351/job/71083589019

My fix just updates required permissions in the readme; however, I suspect that you might need to update the IAM role in the AWS account itself in some other way (manually, maybe? or some internal Terraform code).

• pkg/.github/workflows/integration-aws.yaml

  Lines 39 to 42 in 215ee0a

  	with:
  	role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.OCI_E2E_AWS_ASSUME_ROLE_NAME }}
  	role-session-name: OCI_GH_Actions
  	aws-region: us-east-1

[taraspos]

I guess permissions need to be updated in the same way, as they were previously updated here:

• Fix support for public.ecr.aws #938 (comment)

[matheuscscp]

I guess permissions need to be updated in the same way, as they were previously updated here:

• Fix support for public.ecr.aws #938 (comment)

Cool, I added codecommit:ListTagsForResource to the role used in the GHA workflow and retriggered. Let's see

[taraspos]

I guess permissions need to be updated in the same way, as they were previously updated here:

• Fix support for public.ecr.aws #938 (comment)

Cool, I added codecommit:ListTagsForResource to the role used in the GHA workflow and retriggered. Let's see

It's not only that one, all of these are needed for integration test to succeed:

                "codecommit:CreateRepository",
                "codecommit:DeleteRepository",
                "codecommit:GetRepository",
                "codecommit:GitPull",
                "codecommit:GitPush",
                "codecommit:ListTagsForResource",
                "codecommit:TagResource",
                "codecommit:UntagResource",

[matheuscscp]

I guess permissions need to be updated in the same way, as they were previously updated here:

• Fix support for public.ecr.aws #938 (comment)

Cool, I added codecommit:ListTagsForResource to the role used in the GHA workflow and retriggered. Let's see

It's not only that one, all of these are needed for integration test to succeed:

                "codecommit:CreateRepository",
                "codecommit:DeleteRepository",
                "codecommit:GetRepository",
                "codecommit:GitPull",
                "codecommit:GitPush",
                "codecommit:ListTagsForResource",
                "codecommit:TagResource",
                "codecommit:UntagResource",

Cool, added all of these and retriggered 🤞

[matheuscscp]

The AWS and Azure tests passed! GCP is timing out, but I think it's a generalized issue, the test running from main is probably also going to timeout:

https://github.com/fluxcd/pkg/actions/runs/24342753764/job/71101490831

Might be some GCP issue.

[matheuscscp]

LGTM! 🚀

Thanks very much, @taraspos! Very nice contribution!

[taraspos]

Thanks! I will look into raising source-controller (and other) PR soon!

[matheuscscp]

Thanks! I will look into raising source-controller (and other PR) soon!

And image-automation-controller :) Everything SC does, IAC has to do as well

[stefanprodan]

LGTM

[stefanprodan]

@taraspos we'll let you know here when we'll release the packages, then you can do SC first.

[matheuscscp]

@taraspos auth/v0.41.0 is tagged 🚀