Use git credential store instead of keychain

Tags: git, authorisation, 403, keychain


When writing software in a team it’s crucial to work with version control. Version control enables multiple developers to work with code a the same time without stepping on each others toes and helps keep track of changes. Git is one of the tools used to track these changes.

A recent update to the Apple developer tools caused Apple’s Git to seemingly randomly(?) take over and try to be helpful with storing credentials for git related activities in their “Keychain” app which is installed on all Macs. Key chain does some useful things like remember Wi-Fi passwords and if you use Safari or iOS maintain password consistency throughout your various Apple devices. This was an unwelcome change however.

When using Git on Amazon Web Services (AWS), you have the option of using SSH or HTTPS to connect to the Git service in code-commit. However, when using federated access to a secondary or sub-account which you have been granted access to through IAM roles, it is not possible to connect through SSH as you need to tell AWS who you are, and then which role you want to assume. To do so, you must use HTTPS.

Once you’re setup it is mostly fine, until recently a change came through with the update to the developer tools which Apple includes as part of their system updates. It took a while to nail down the problem, but if you start seeing something like:

fatal: unable to access 'https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/YOUR_REPO': The requested URL returned error: 403

Then it’s possible that the OSX keychain is storing your credentials which have a limited lifetime (15-20 minutes maybe?).

After some research I found this answer on Stack Overflow which sort of helped. But the actual answer was in the comments:

In your terminal window, type:

git config --show-origin --get credential.helper

For me this returned:

file:/Library/Developer/CommandLineTools/usr/share/git-core/gitconfig    osxkeychain

If you edit the file:

/Library/Developer/CommandLineTools/usr/share/git-core/gitconfig

and remove the credential saving record it solves the problem by not storing your details in keychain which now forces git to use the stored credentials in your ~/.gitconfig file and your ~/.aws/ directory which for me is back to the way it had initially been set.

Now all calls to AWS Code Commit are made using the credentials I’ve stored every time, rather than using expired credentials stored in Keychain.

UPDATE! 🚨 (16/01/2019)

Josh Armitage has kindly provided a bash script which takes all the hard work out of copy-pasting commands above and does it all for you in one neato bash script.

To run it you can either copy-paste this command into your console:

sh -c "$(curl -fsSL https://gist.githubusercontent.com/jgunnink/00714353f09855220cc54c0132f88cd9/raw/26c6aa1558b075bf057726740e5c48598533a6c3/remove_git_credential_helper.sh)"

Or you can view the source code below: https://gist.github.com/jgunnink/00714353f09855220cc54c0132f88cd9

#!/bin/bash
set -e

GIT_CONFIG=$(git config --show-origin --get credential.helper)

if [[ ${GIT_CONFIG} == **osxkeychain** ]]; then
  FILE=$(echo ${GIT_CONFIG} | awk '{print $1}' | sed s/'file:'//)
  sudo sed -i.bak '/\[credential\]$/N; /\[credential\]/d' $(echo ${FILE})
fi