Menu
AWS CodeCommit
User Guide (API Version 2015-04-13)

AWS CodeCommit User Access Permissions Reference

You can use IAM to allow users to work with only certain AWS CodeCommit resources and perform only certain actions against those resources. For example, you might want to do this if you have a set of users to whom you want to give read-only access to certain information in AWS CodeCommit; you may have another set of users to whom you want to give the ability to only pull from AWS CodeCommit repositories, and so on.

In the Setting Up instructions, you attached the AWSCodeCommitFullAccess managed policy to an IAM user. That policy statement looked similar to this:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:*"
      ],
      "Resource" : "*"
    }
  ]
}

The statement allows the IAM user to perform all available actions in AWS CodeCommit with all available AWS CodeCommit resources associated with the AWS account. In practice, you might not want to give all IAM users this much access.

Managed Policies for AWS CodeCommit

IAM includes three different managed policies to help you manage access to AWS CodeCommit repositories:

  • AWSCodeCommitFullAccess

  • AWSCodeCommitPowerUser

  • AWSCodeCommitReadOnly

You can apply the managed policies to IAM users or groups. You can also use these policies as templates for your own policies to restrict permissions to a single repository, instead of all repositories in AWS CodeCommit, which is the default setting.

The AWSCodeCommitFullAccess managed policy allows a user to perform all actions in AWS CodeCommit with no restrictions. It contains the following policy statement:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "codecommit:*"
   ],
   "Resource": "*"
  }
 ]
}

The AWSCodeCommitPowerUser managed policy allows users access to most of the functionality of AWS CodeCommit, but does not allow users to delete AWS CodeCommit repositories. It contains the following policy statement:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:List*",
    "codecommit:CreateRepository",
    "codecommit:CreateBranch",
    "codecommit:Put*",
    "codecommit:Test*",
    "codecommit:Update*",
    "codecommit:GitPull",
    "codecommit:GitPush"
   ],
   "Resource": "*"
  }
 ]
}

You might want to modify this policy to apply to a specific AWS CodeCommit repository, instead of all resources ("*"). You can then attach a modified version of this policy to IAM users or groups for more precise control of your AWS CodeCommit resources. For examples, see Action and Resource Syntax later in this topic.

The AWSCodeCommitReadOnly managed policy allows users to list all available repositories and pull content from, but not push changes to, the AWS CodeCommit repositories. It contains the following policy statement:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "codecommit:BatchGetRepositories",
    "codecommit:Get*",
    "codecommit:List*",
    "codecommit:GitPull"
   ],
   "Resource": "*"
  }
 ]
}

Additional Policies and Permissions for AWS CodeCommit

In addition to permissions granted to the user by managed policies or inline polices, AWS CodeCommit requires permissions for AWS KMS actions the first time a repository is created. An IAM user does not need explicit Allow permissions for these actions, but when creating the first repository, the user must not have any policies attached that set the following permissions to Deny:

        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:DescribeKey"

For more information about encryption and AWS CodeCommit, see Encryption.

In addition to permissions granted by managed policies for AWS CodeCommit, the following managed policies or the equivalent permissions are needed for IAM users who will use Git credentials or SSH public/private key pairs to access AWS CodeCommit repositories:

  • IAMUserSSHKeys: This managed policy or its equivalent permissions allows an IAM user to upload and manage SSH public keys associated with the IAM user. This policy is also required for users to manage their SSH keys in IAM using the AWS CLI and the aws iam upload-ssh-public-key command.

  • IAMSelfManageServiceSpecificCredentials: This managed policy or its equivalent permissions allows an IAM user to create and manage Git credentials associated with the IAM user. This policy is also required for users to manage their Git credentials in IAM using the AWS CLI and the aws iam generate-service-specific-credentials command.

  • IAMReadOnlyAccess: This managed policy or its equivalent permissions enables an IAM user to view the IAM console, which is required for generating and managing Git credentials and uploading and managing SSH keys for the IAM user. Without this policy, the user must use the AWS CLI and the aws iam upload-ssh-public-key (SSH keys) or aws iam generate-service-specific-credentials (Git credentials) command instead of the console. For more information, see the AWS CLI reference.

Attach a Policy to an IAM User

To attach a policy that restricts an IAM user to certain actions and resources in AWS CodeCommit, do the following:

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the IAM console, in the navigation pane, choose Policies, and then choose Create Policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Next to Create Your Own Policy, choose Select.

  4. In the Policy Name box, type any value that will be easy to refer to later, if necessary.

  5. In the Policy Document box, type a policy that follows this format, and then choose Create Policy:

    {
      "Version": "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Action" : [
            "action-statement"
          ],
          "Resource" : [
            "resource-statement"
          ]
        },
        {
          "Effect" : "Allow",
          "Action" : [
            "action-statement"
          ],
          "Resource" : [
            "resource-statement"
          ]
        }
      ]
    }

    In the preceding statement, for action-statement and resource-statement, specify the AWS CodeCommit actions and resources the IAM user is allowed to perform or access. (By default, the IAM user will not have permissions unless a corresponding Allow statement is explicitly stated.) You can add additional statements, as needed. The following sections describe the format of allowed actions and resources for AWS CodeCommit. Syntax examples are provided in these sections.

  6. In the navigation pane, choose Users.

  7. Choose the name of the IAM user to whom you want to attach the policy.

  8. Choose the Permissions tab.

  9. In Managed Policies, choose Attach Policy.

  10. Select the policy that you just created, and then choose Attach Policy.

Create a Policy That Enables Cross-Account Access to an Amazon SNS Topic

You can configure an AWS CodeCommit repository so that code pushes or other events trigger actions, such as sending a notification from Amazon Simple Notification Service (Amazon SNS). You do not need to configure additional IAM policies or permissions if you create the Amazon SNS topic with the same account used to create the AWS CodeCommit repository. You can create the topic, and then create the trigger for the repository. For more information, see Create a Trigger for an Amazon SNS Topic.

However, if you want to configure your trigger to use an Amazon SNS topic in another AWS account, you must first configure that topic with a policy that allows AWS CodeCommit to publish to that topic. From that other account, open the Amazon SNS console, choose the topic from the list, and in Other topic actions, choose Edit topic policy. From the Advanced tab, modify the policy for the topic to allow AWS CodeCommit to publish to that topic. For example, if the policy is the default policy, you would modify the policy as follows, changing the items in red italic text to match the values for your repository, Amazon SNS topic, and account:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:DeleteTopic",
        "SNS:GetTopicAttributes",
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:AddPermission",
        "SNS:Receive",
        "SNS:SetTopicAttributes"
      ],
      "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "111111111111"
        }
      }
     },
	 {
      "Sid": "CodeCommit-Policy_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "codecommit.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
          "AWS:SourceAccount": "80398EXAMPLE"
        }
	}
    }
  ]
}

Create a Policy for AWS Lambda Integration

You can configure an AWS CodeCommit repository so that code pushes or other events trigger actions, such as invoking a function in AWS Lambda. For more information, see Create a Trigger for a Lambda Function.

If you want your trigger to run a Lambda function directly (instead of using an Amazon SNS topic to invoke the Lambda function), and you do not configure the trigger in the Lambda console, you must include a policy similar to the following in the function's resource policy:

{
  "Statement":{
     "StatementId":"Id-1",
     "Action":"lambda:InvokeFunction",
     "Principal":"codecommit.amazonaws.com",
     "SourceArn":"arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
     "SourceAccount":"80398EXAMPLE"
  }
}

When manually configuring an AWS CodeCommit trigger that invokes a Lambda function, you must also use the Lambda AddPermission command to grant permission for AWS CodeCommit to invoke the function. For an example, see the To allow AWS CodeCommit to run a Lambda function section of Create a Trigger for an Existing Lambda Function.

For more information about resource policies for Lambda functions, see AddPermission and The Pull/Push Event Models in the Lambda User Guide.

Action and Resource Syntax

The following sections describe the format for specifying actions and resources.

Actions follow this general format:

codecommit:action

Where action is an available AWS CodeCommit operation, such as ListRepositories or CreateBranch. To allow an action, use the "Effect" : "Allow" clause. To explicitly deny an action, use the "Effect" : "Deny" clause. By default, all actions are denied, unless specified otherwise in any other attached policy.

Currently, only AWS CodeCommit repositories are allowed as resources. Specified resources are allowed (or denied) for the specified action.

Resources follow this general format:

arn:aws:codecommit:region:account:resource-specifier

Where region is a target region (such as us-east-2), account is the AWS account ID, and resource-specifier is the repository name. Wildcard (*) characters can be used to specify a partial repository name.

For example, the following specifies the AWS CodeCommit repository named MyDemoRepo registered to the AWS account 111111111111 in the region us-east-2:

arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo

The following specifies any AWS CodeCommit repository that begins with the name MyDemo registered to the AWS account 111111111111 in the region us-east-2:

arn:aws:codecommit:us-east-2:111111111111:MyDemo*

Branches

Allowed actions include:

  • CreateBranch to create a branch in an AWS CodeCommit repository.

  • GetBranch to get details about a branch in an AWS CodeCommit repository.

  • ListBranches to get a list of branches in an AWS CodeCommit repository.

  • UpdateDefaultBranch to change the default branch in an AWS CodeCommit repository.

The following example allows the specified user to get details about branches in the AWS CodeCommit repository named MyDemoRepo:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:GetBranch"
      ],
      "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo"
    }
  ]
}

Git Pull and Push

In AWS CodeCommit, GitPull affects any Git client command where data is retrieved from the server, including git fetch, git clone, and so on. Similarly, GitPush affects any Git client command where data is sent to the server. Allowed actions include:

  • GitPull to pull information from an AWS CodeCommit repository to a local repo.

  • GitPush to push information from a local repo to an AWS CodeCommit repository.

The following example allows the specified user to pull from, and push to, the AWS CodeCommit repository named MyDemoRepo:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:GitPull",
        "codecommit:GitPush"
      ],
      "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo"
    }
  ]
}

Information About Committed Code

Allowed actions include:

  • GetBlob to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console.

  • GetCommit to return information about a commit.

  • GetCommitHistory to return information about the history of commits in a repository.

  • GetDifferences to return information about the differences in a commit specifier (such as a branch, tag, HEAD, commit ID or other fully qualified reference).

  • GetObjectIdentifier to resolve blobs, trees, and commits to their identifier.

  • GetReferences to return all references, such as branches and tags.

  • GetTree to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console.

Note

Setting GetTree to Deny will prevent users from navigating the contents of a repository in the console, but will not block users from viewing the contents of a file in the repository (for example, if they are sent a link to the file in email). Setting GetBlob to Deny will prevent users from viewing the contents of files, but will not block users from browsing the structure of a repository. Setting GetCommit to Deny will prevent users from retrieving details about commits. Setting GetObjectIdentifier to Deny will block most of the functionality of code browsing.

If you set all three of these actions to Deny in a policy, a user with that policy will not be able to browse code in the AWS CodeCommit console.

The following example allows the specified user to use the AWS CodeCommit console to view the contents of files in the AWS CodeCommit repository named MyDemoRepo, but will not allow that user to browse the contents of the repository or navigate its structure:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:GetBlob",
        "codecommit:GetObjectIdentifier"
      ],
      "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo"
    }
  ]
}

Repositories

Allowed actions include:

  • BatchGetRepositories to get information about multiple repositories in AWS CodeCommit in an AWS account. In Resource, you must specify the names of all of the AWS CodeCommit repositories for which a user is allowed (or denied) information.

  • CreateRepository to create an AWS CodeCommit repository.

  • DeleteRepository to delete an AWS CodeCommit repository.

  • GetRepository to get information about a single AWS CodeCommit repository.

  • ListRepositories to get a list of the names and system IDs of multiple AWS CodeCommit repositories for an AWS account. The only allowed value for Resource for this action is all repositories (*).

  • UpdateRepositoryDescription to change the description of an AWS CodeCommit repository.

  • UpdateRepositoryName to change the name of an AWS CodeCommit repository. In Resource, you must specify both the AWS CodeCommit repositories that are allowed to be changed and the new repository names.

The following example allows the specified user to get information about the AWS CodeCommit repository named MyDestinationRepo and all AWS CodeCommit repositories that start with the name MyDemo:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:BatchGetRepositories"
      ],
      "Resource" : [
        "arn:aws:codecommit:us-east-2:111111111111:MyDestinationRepo",
        "arn:aws:codecommit:us-east-2:111111111111:MyDemo*"
      ]
    }
  ]
}

The following example allows the specified user to get a list of the names and repository IDs of all AWS CodeCommit repositories to which the user has access:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:ListRepositories"
      ],
      "Resource" : "*"
    }
  ]
}

The following example allows the specified user to change the name of an AWS CodeCommit repository from MyDemoRepo to MyRenamedDemoRepo or from MyRenamedDemoRepo to MyDemoRepo:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:UpdateRepositoryName"
      ],
      "Resource" : [
        "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
        "arn:aws:codecommit:us-east-2:111111111111:MyRenamedDemoRepo"
      ]
    }
  ]
}

Triggers

Allowed actions include:

  • GetRepositoryTriggers to return information about triggers configured for a repository.

  • PutRepositoryTriggers to create, edit, or delete triggers for a repository.

  • TestRepositoryTriggers to test the functionality of a repository trigger by sending data to the topic or function configured for the trigger.

The following example allows the specified user to use the AWS CodeCommit console to view information about triggers configured in the AWS CodeCommit repository named MyDemoRepo, but would not allow that user to create, edit, delete, or test them:

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "codecommit:GetRepositoryTriggers",
        ],
      "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo"
    }
  ]
}

AWS CodePipeline Integration

Some permissions are required in order for AWS CodePipeline to use an AWS CodeCommit repository in a source action for a pipeline. All of these permissions must be granted to the service role for AWS CodePipeline for integration to work as expected. If these permissions are not set in the service role or are set to Deny, the pipeline will not run automatically when a change is made to the repository, and changes cannot be released manually. Allowed actions include:

  • GetBranch to get details about a branch in an AWS CodeCommit repository.

  • GetCommit to return information about a commit to the service role for AWS CodePipeline.

  • UploadArchive to allow the service role for AWS CodePipeline to upload repository changes into a pipeline.

  • GetUploadArchiveStatus to determine the status of the upload of the archive: whether it is in progress, complete, cancelled, or if an error occurred.

  • CancelUploadArchive to cancel the upload of an archive to a pipeline.

The following example shows the portion of a policy for the AWS CodePipeline service role that must be included or added in order for AWS CodePipeline to be able to use an AWS CodeCommit repository in a source action for a pipeline:

{
  "Action": [  
      "codecommit:CancelUploadArchive",
      "codecommit:GetBranch",
      "codecommit:GetCommit",
      "codecommit:GetUploadArchiveStatus",
      "codecommit:UploadArchive"
            ],
  "Resource": "*",
  "Effect": "Allow"
}