Menu
AWS CodeCommit
User Guide (API Version 2015-04-13)

Using Identity-Based Policies (IAM Policies) for AWS CodeCommit

The following examples of identity-based policies demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) to grant permissions to perform operations on AWS CodeCommit resources.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your AWS CodeCommit resources. For more information, see Overview of Managing Access Permissions to Your AWS CodeCommit Resources.

The following is an example of an identity-based permissions policy:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:BatchGetRepositories" ], "Resource" : [ "arn:aws:codecommit:us-east-2:111111111111:MyDestinationRepo", "arn:aws:codecommit:us-east-2:111111111111:MyDemo*" ] } ] }

This policy has one statement that allows a user to get information about the AWS CodeCommit repository named MyDestinationRepo and all AWS CodeCommit repositories that start with the name MyDemo in the us-east-2 Region.

Permissions Required to Use the AWS CodeCommit Console

To see the required permissions for each AWS CodeCommit API operation, and for more information about AWS CodeCommit operations, see AWS CodeCommit Permissions Reference.

To allow users to use the AWS CodeCommit console, the administrator needs to grant them permissions for AWS CodeCommit actions. For example, you could attach the AWSCodeCommitPowerUser managed policy or its equivalent to a user or group, as shown in the following permissions policy:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:List*", "codecommit:CreateRepository", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:Put*", "codecommit:Test*", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" } ] }

In addition, users must have a minimum set of permissions that allows them to manage other AWS resources for their AWS account. For example, to allow users to manage credentials for HTTPS or SSH access to AWS CodeCommit repositories, you must grant permissions for additional actions, as shown in the following example permissions policy:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:List*", "codecommit:CreateRepository", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:Put*", "codecommit:Test*", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey", "iam:DeleteSSHPublicKey", "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential", "iam:Get*", "iam:List*" ], "Resource": [ "arn:aws:iam::111111111111:user/IAMusername" ] } ] }

In addition to permissions granted to users by identity-based polices, AWS CodeCommit requires permissions for AWS Key Management Service (AWS KMS) actions. An IAM user does not need explicit Allow permissions for these actions, but the user must not have any policies attached that set the following permissions to Deny:

Copy
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey"

For more information about encryption and AWS CodeCommit, see AWS KMS and Encryption.

AWS Managed (Predefined) Policies for AWS CodeCommit

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid investigating which permissions are needed for them. The managed policies for AWS CodeCommit do not provide permissions to perform operations in other services, such as IAM. They provide permissions only for AWS CodeCommit operations.

The following AWS managed policies, which you can attach to users in your account, are specific to AWS CodeCommit:

  • AWSCodeCommitFullAccess – Grants full access to AWS CodeCommit. Apply this policy only to administrative-level users whom you want to grant full control over AWS CodeCommit repositories in your AWS account, including the ability to delete repositories.

    The AWSCodeCommitFullAccess policy contains the following policy statement:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:*" ], "Resource": "*" } ] }
  • AWSCodeCommitPowerUser – Allows users access to all of the functionality of AWS CodeCommit, except it does not allow them to delete AWS CodeCommit repositories. We recommend that you apply this policy to most users.

    The AWSCodeCommitPowerUser policy contains the following policy statement:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:List*", "codecommit:CreateRepository", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:Put*", "codecommit:Test*", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" } ] }
  • AWSCodeCommitReadOnly – Grants read-only access to AWS CodeCommit. Apply this policy to users whom you want to grant the ability to read the contents of a repository, but not make any changes to its contents.

    The AWSCodeCommitReadOnly policy contains the following policy statement:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:List*", "codecommit:GitPull" ], "Resource": "*" } ] }

For more information, see AWS Managed Policies in the IAM User Guide.

Customer Managed Policy Examples

You can create your own custom IAM policies to allow permissions for AWS CodeCommit actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. You can also create your own custom IAM policies for integration between AWS CodeCommit and other AWS services.

Customer Managed Identity Policy Examples

The following example IAM policies grant permissions for various AWS CodeCommit actions. Use them to limit AWS CodeCommit access for your IAM users and roles. These policies control the ability to perform actions with the AWS CodeCommit console, API, AWS SDKs, or the AWS CLI.

Note

All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.

Examples

Example 1: Allow a User to Perform AWS CodeCommit Operations in a Single Region

The following permissions policy uses a wildcard character ("codecommit:*") to allow users to perform all AWS CodeCommit actions in the us-east-2 Region.

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:*" ], "Resource" : "arn:aws:codecommit:us-east-2:*" } ] }

Example 2: Allow a User to Use Git for a Single Repository

In AWS CodeCommit, the GitPull IAM policy permissions apply to any Git client command where data is retrieved from AWS CodeCommit, including git fetch, git clone, and so on. Similarly, the GitPush IAM policy permissions apply to any Git client command where data is sent to AWS CodeCommit. For example, if the GitPush IAM policy permission is set to Allow, a user can push the deletion of a branch using the Git protocol. That push is unaffected by any permissions applied to the DeleteBranch operation for that IAM user. The DeleteBranch permission applies to actions performed with the console, the AWS CLI, the SDKs, and the API, but not the Git protocol.

The following example allows the specified user to pull from, and push to, the AWS CodeCommit repository named MyDemoRepo:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo" } ] }

Example 3: Allow a User Connecting From a Specific IP Address Range Access to a Repository

You can create a policy that only allows users to connect to an AWS CodeCommit repository if their IP address is within a certain IP address range. There are two equally valid approaches to this; you can create a Deny policy that disallows AWS CodeCommit operations if the IP address for the user is not within a specific block, or you can create an Allow policy that allows AWS CodeCommit operations if the IP address for the user is within a specific block.

You can create a Deny policy that denies access to all users who are not within a certain IP range. For example, you could attach the AWSCodeCommitPowerUser managed policy and a customer managed policy to all users who require access to your repository. The following example policy denies all AWS CodeCommit permissions to users whose IP addresses are not within the specified IP address block of 203.0.113.0/16:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:*" ], "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }

The following example policy allows the specified user to access an AWS CodeCommit repository named MyDemoRepo with the equivalent permissions of the AWSCodeCommitPowerUser managed policy only if their IP address is within the specified address block of 203.0.113.0/16:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:Test*", "codecommit:Update*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "IpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }

Customer Managed Integration Policy Examples

This section provides example customer-managed user policies that grant permissions for various integrations between AWS CodeCommit and other AWS services.

Note

All examples use the US West (Oregon) Region (us-west-2) when a Region is required and contain fictitious account IDs.

Examples

Example 1: Create a Policy That Enables Cross-Account Access to an Amazon SNS Topic

You can configure an AWS CodeCommit repository so that code pushes or other events trigger actions, such as sending a notification from Amazon Simple Notification Service (Amazon SNS). If you create the Amazon SNS topic with the same account used to create the AWS CodeCommit repository, you do not need to configure additional IAM policies or permissions. You can create the topic, and then create the trigger for the repository. For more information, see Create a Trigger for an Amazon SNS Topic.

However, if you want to configure your trigger to use an Amazon SNS topic in another AWS account, you must first configure that topic with a policy that allows AWS CodeCommit to publish to that topic. From that other account, open the Amazon SNS console, choose the topic from the list, and for Other topic actions, choose Edit topic policy. On the Advanced tab, modify the policy for the topic to allow AWS CodeCommit to publish to that topic. For example, if the policy is the default policy, you would modify the policy as follows, changing the items in red italic text to match the values for your repository, Amazon SNS topic, and account:

Copy
{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:DeleteTopic", "SNS:GetTopicAttributes", "SNS:Publish", "SNS:RemovePermission", "SNS:AddPermission", "SNS:Receive", "SNS:SetTopicAttributes" ], "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceOwner": "111111111111" } } }, { "Sid": "CodeCommit-Policy_ID", "Effect": "Allow", "Principal": { "Service": "codecommit.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo", "AWS:SourceAccount": "80398EXAMPLE" } } } ] }

Example 2: Create a Policy for AWS Lambda Integration

You can configure an AWS CodeCommit repository so that code pushes or other events trigger actions, such as invoking a function in AWS Lambda. For more information, see Create a Trigger for a Lambda Function.

If you want your trigger to run a Lambda function directly (instead of using an Amazon SNS topic to invoke the Lambda function), and you do not configure the trigger in the Lambda console, you must include a policy similar to the following in the function's resource policy:

Copy
{ "Statement":{ "StatementId":"Id-1", "Action":"lambda:InvokeFunction", "Principal":"codecommit.amazonaws.com", "SourceArn":"arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo", "SourceAccount":"80398EXAMPLE" } }

When manually configuring an AWS CodeCommit trigger that invokes a Lambda function, you must also use the Lambda AddPermission command to grant permission for AWS CodeCommit to invoke the function. For an example, see the To allow AWS CodeCommit to run a Lambda function section of Create a Trigger for an Existing Lambda Function.

For more information about resource policies for Lambda functions, see AddPermission and The Pull/Push Event Models in the AWS Lambda Developer Guide.