Gitlab and Github offers personal access tokens for git access over https. They are the only accepted method of authentication when you have Two-Factor Authentication (2FA) enabled. Since I have a Yubikey, I have to use a personal access token, if SSH is not viable, e.g. working in safe guarded environment. A token however has the advantage that it can expire, thus forcing me to exchange it more frequently to hinder attack scenarios.
It is quite uncomfortable to enter user and token for every git operation on the remote repository. Git offers a credential storage, to simplify that. This article demonstrates my setup for Gitlab. You can use it for any other git hosting provider, like AWS CodeCommit or Bitbucket.
First step is to configure a credential store as file. While it can reside in the
.gitconfig itself, putting in a separate file seems the better approach. Configure git to use a file. This file could also locate in a encrypted filesystem, which home usually is.
git config --global credential.helper 'store --file ~/.my-credentials'
The authentication is cached for 900 seconds (15 minutes), see also https://git-scm.com/docs/git-credential-cache/2.8.0.
Now I have to fill the credential storage with my gitlab access token. Using git credentials command to store the authentication data. Important is to use the file storage by omitting the respective option. git will read the input from
stdin and stores it to the given file. A blank line ends the input from
git credential-store --file ~/.my-credentials store protocol=https host=gitlab.com username=cinhtau password=a-magic-password
Now I can operate (pull/push) on my git repositories without the hassle to enter user and password .
Another example for AWS CodeCommit. Change to your respective region and credentials.
git credential-store --file ~/.my-credentials store protocol=https host=git-codecommit.us-east-1.amazonaws.com username=cinhtau-at-4711 password=another-magic-password
Example for Github, generate Token under
Personal access tokens
git credential-store --file ~/.my-credentials store protocol=https host=github.com username=cinhtau password=mapper-magic