Especially following the tutorial to enable cross-account-access: https://docs.aws.amazon.com/codecommit/latest/userguide/cross-account.html I found follwing problem:
When you use custom kms-keys for your repo, the proxy-role must not only get the ability to pull/push the desired codecommit-repo but also the access to the custom kms-key (as you also can see that here: https://stackoverflow.com/a/78770328/4994931).
I don't know if that is a documentation point of this plugin, the codecommit-service or even a bug in one of both.
Please check that, as it is easy to reproduce with a repo with a custom kms-key.
If you don't allow encryt/decrypt on the key you will get a 403 from the repo although everything is fine with your login.
Especially following the tutorial to enable cross-account-access: https://docs.aws.amazon.com/codecommit/latest/userguide/cross-account.html I found follwing problem: When you use custom kms-keys for your repo, the proxy-role must not only get the ability to pull/push the desired codecommit-repo but also the access to the custom kms-key (as you also can see that here: https://stackoverflow.com/a/78770328/4994931). I don't know if that is a documentation point of this plugin, the codecommit-service or even a bug in one of both. Please check that, as it is easy to reproduce with a repo with a custom kms-key. If you don't allow encryt/decrypt on the key you will get a 403 from the repo although everything is fine with your login.
Update: not a plugin problem: https://docs.aws.amazon.com/en_us/codecommit/latest/userguide/encryption.html but hard to find the root cause of this 403