codecommit pricing question (multiple roles for each IAM User)


my client has around 400 repositories, there are 2 roles for each repository (so around 800 roles), the client has 700 users (so 700 IAM users) that access these repos, on average each user access around 7-8 repos, so each user reach these repos with around 15 different roles. it's unclear to me how the pricing apply.. is my client going to pay for 700 users, or is going to pay for 700 users * 15 average roles = 10,500 ??


profile pictureAWS
asked 2 years ago372 views
2 Answers
Accepted Answer

Dear Corey, My client (I'm an AWS SA) went live and after a deep dive with the service team we clarified the cost.

The bottom line:

  • if they use IAM they pay for Users not by role
  • for federated users, If the customer is using these APIs to obtain credentials, then is one user per role:
    • assume-role
    • get-federation-token
  • If the customer is using any of these APIs to obtain credentials, then the number of users depends on attributes made within their API request.
    • assume-role-with-saml
    • assume-role-with-web-identity

in this case if the Saml data contains a subject which contains a name identifier (e.g., this means that the bill would be based on the number of unique SAML users who assume roles and use CodeCommit (not based on the number of roles they assume).

Bottom line, the last case is the most common one and my customer is paying for each user, despite the number of roles they assume.


profile pictureAWS
answered 2 years ago

The bad answer ($10,500), and it also gets worse: if other identities (EC2 instances via instance roles, other AWS services integrated with CodeCommit, etc) are making git / CLI / API requests to CodeCommit, they count as an active user for that month.

As per the pricing docs:

An active user is any unique AWS identity (IAM user/role, federated user, or root account) that accesses AWS CodeCommit repositories during the month, either through Git requests or by using the AWS Management Console, AWS CLI or AWS SDKs. AWS identities that are created through your use of other AWS Services, such as AWS CodeBuild and AWS CodePipeline, as well as servers accessing CodeCommit using a unique AWS identity, count as active users. There is no charge for a user if that user does not access AWS CodeCommit during the month. Storage includes the full space required to retain the repository data.

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions