Hello,

I created a CodeCommit repo called "mlpuppet" (masterless Puppet). I assigned AWSCodeCommitFullAccess to one user and successfully populated the repo via SSH.

I then assigned two custom policies to another user that should have read-only access to this repo. The policies are as follows:

"Effect": "Allow",
"Action": [
    "codecommit:BatchGetRepositories",
    "codecommit:List*"
],
"Resource": "*"

"Effect": "Allow",
"Action": [
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:GitPull",
    "codecommit:List*"
],
"Resource": "arn:aws:codecommit:us-east-1:[redacted]:mlpuppet"

This second user is able to clone the repository, and pull updates, via SSH. However, I want this user to use HTTPS in production, not SSH. Unfortunately, I receive the following error when attempting to use HTTPS:

$ git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/mlpuppet
Initialized empty Git repository in /home/mlpuppet_ro/mlpuppet/.git/ 
error: The requested URL returned error: 401 Unauthorized while accessing https://git-codecommit.us-east-1.amazonaws.com/v1/repos/mlpuppet/info/refs

Here's my setup:

=== .gitconfig ===
[credential]
        helper = !aws --profile CodeCommitProfile codecommit credential-helper $@
        UseHttpPath = true

=== .aws/config ===
[profile CodeCommitProfile]
output = json
region = us-east-1

=== .aws/credentials ===
[CodeCommitProfile]
aws_access_key_id = AKIA[redacted]
aws_secret_access_key = [redacted]

$ echo -e "protocol=https\npath=/v1/repos/mlpuppet\nhost=git-codecommit.us-east-1.amazonaws.com" | aws codecommit --profile CodeCommitProfile credential-helper get
username=AKIA[redacted, identical to the version in .aws/credentials]
password=20151224[remainder redacted]

In case it matters, this is git-1.7.1 on CentOS 6.6. Any tips?