In fact, you can already use IAM and let user manage their CodeCommit SSH key... but use that ssh-key for other purposes. I use that to make it easier : user manage their own ssh key, but the instances use iam groups to sync user with some users, and when a ssh connection needs to be established the key is read from IAM
The simple demos are available there: (for production use, you'd want to populate theses scripts from your cloudinit script, and restrict the user sync to only a specific group)
github.com/sportebois/aws-ec2-ssh-sync
HTH