docs: add CodeCommit SSH key instructions

Zakharden · Zakharden · commit b76fb74d4ae2 · 2026-05-11T03:37:37.000+03:00
Signed-off-by: Zakhar Dvurechensky &lt;72825626+Zakharden@users.noreply.github.com&gt;
diff --git a/content/en/flux/integrations/aws.md b/content/en/flux/integrations/aws.md
@@ -389,6 +389,55 @@ can be used to automate image updates in CodeCommit repositories.
 > **Note**: CodeCommit does not support resource-based policies. All access must be
 > configured via identity-based policies attached to IAM Roles.
 
+#### SSH authentication
+
+To authenticate Flux to CodeCommit over SSH, create an SSH key pair for an IAM
+User and upload the public key to IAM. CodeCommit assigns an SSH Key ID to the
+uploaded public key. Use that SSH Key ID, not the IAM user name, as the user
+part of the repository URL.
+
+For example, after uploading `codecommit_rsa.pub` to IAM and copying the SSH
+Key ID, create the GitRepository source with the matching private key:
+
+```sh
+flux create source git flux-system \
+  --url=ssh://<ssh-key-id>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \
+  --branch=<branch> \
+  --private-key-file=./codecommit_rsa \
+  --interval=1m
+```
+
+If the private key is encrypted, also pass `--password=<key-passphrase>`.
+For environments that require RSA keys, generate the key explicitly as RSA
+before uploading the public key to IAM:
+
+```sh
+ssh-keygen -t rsa -b 4096 -f ./codecommit_rsa
+```
+
+If the SSH client or Git implementation requires PEM-encoded RSA private keys,
+generate the key with `-m PEM`:
+
+```sh
+ssh-keygen -t rsa -b 4096 -m PEM -f ./codecommit_rsa
+```
+
+The same SSH URL and private key file can be used when bootstrapping Flux with
+an existing CodeCommit repository:
+
+```sh
+flux bootstrap git \
+  --url=ssh://<ssh-key-id>@git-codecommit.<region>.amazonaws.com/v1/repos/<repository> \
+  --branch=<branch> \
+  --private-key-file=./codecommit_rsa \
+  --path=clusters/my-cluster
+```
+
+For the full CodeCommit SSH setup, including where to find the SSH Key ID, see
+the AWS CodeCommit SSH documentation for
+[Linux, macOS, or Unix](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html)
+and [Windows](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-windows.html).
+
 For the `GitRepository` API, the minimum required permission is `codecommit:GitPull`.
 For the `ImageUpdateAutomation` API, `codecommit:GitPush` is additionally required.
 The following identity-based policy grants read-only access for a specific repository:
