@shinyaz

CodeCommit returns AccessDeniedException for non-existent repositories

1 min read
#codecommit#iam#argocd#troubleshooting

While testing ArgoCD with CodeCommit, I accidentally used a wrong repository name in the Application's repoURL. I expected a "repository not found" error, but got the exact same AccessDeniedException as when the IAM policy was missing entirely.

Output
is not authorized to perform: codecommit:GitPull on resource:
arn:aws:codecommit:ap-northeast-1:111122223333:argocd-demo-typo

This happens because the IAM policy's Resource is scoped to a specific repository ARN. Any repository name outside that scope — whether it exists or not — is treated as a permission error.

When you see AccessDeniedException, the first debugging step is to compare the Resource ARN in the IAM policy with the repository name in the repoURL. A simple typo can waste time chasing IAM permissions that are actually correct. Full verification details here.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more