Menu
AWS CodeCommit
User Guide (API Version 2015-04-13)

AWS CodeCommit Permissions Reference

The following tables list each AWS CodeCommit API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The AWS CodeCommit APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies).

When you create a permissions policy, you specify the actions in the policy's Action field. You specify the resource value in the policy's Resource field as an ARN, with or without a wildcard character (*).

To express conditions in your AWS CodeCommit policies, use AWS-wide condition keys . For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the codecommit: prefix followed by the API operation name (for example, codecommit:GetRepository or codecommit:CreateRepository.

Using Wildcards

To specify multiple actions or resources, use a wildcard character (*) in your ARN. For example, codecommit:* specifies all AWS CodeCommit actions and codecommit:Get* specifies all AWS CodeCommit actions that begin with the word Get. The following example grants access to all repositories with names that begin with MyDemo.

Copy
arn:aws:codecommit:us-west-2:111111111111:MyDemo*

You can use wildcards only with the repository-name resources listed in the following table. You can't use wildcards with region or account-id resources. For more information about wildcards, see IAM Identifiers in IAM User Guide.

Required Permissions for Git Client Commands

In AWS CodeCommit, the GitPull IAM policy permissions apply to any Git client command where data is retrieved from AWS CodeCommit, including git fetch, git clone, and so on. Similarly, the GitPush IAM policy permissions apply to any Git client command where data is sent to AWS CodeCommit. For example, if the GitPush IAM policy permission is set to Allow, a user can push the deletion of a branch using the Git protocol. That push is unaffected by any permissions applied to the DeleteBranch operation for that IAM user. The DeleteBranch permission applies to actions performed with the console, the AWS CLI, the SDKs, and the API, but not the Git protocol.

GitPull and GitPush are IAM policy permissions. They are not API actions.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit Required Permissions for Actions for Git Client Commands

AWS CodeCommit Permissions for Git Required Permissions Resources

GitPull

codecommit:GitPull

Required to pull information from an AWS CodeCommit repository to a local repo. This is an IAM policy permission only, not an API action.

arn:aws:codecommit:region:account-id:repository-name

GitPush

codecommit:GitPush

Required to push information from a local repo to an AWS CodeCommit repository. This is an IAM policy permission only, not an API action.

arn:aws:codecommit:region:account-id:repository-name

Permissions for Actions on Branches

The following permissions allow or deny actions on branches in AWS CodeCommit repositories. These permissions pertain only to actions performed in the AWS CodeCommit console and with the AWS CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For example, the git show-branch -r command displays a list of remote branches for a repository and its commits using the Git protocol. It's not affected by any permissions for the AWS CodeCommit ListBranches operation.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit API Operations and Required Permissions for Actions on Branches

AWS CodeCommit API Operations for Branches Required Permissions (API Actions) Resources

CreateBranch

codecommit:CreateBranch

Required to create a branch in an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

DeleteBranch

codecommit:DeleteBranch

Required to delete a branch from an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

GetBranch

codecommit:GetBranch

Required to get details about a branch in an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

ListBranches

codecommit:ListBranches

Required to get a list of branches in an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

UpdateDefaultBranch codecommit:UpdateDefaultBranch

Required to change the default branch in an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

Permissions for Actions on Committed Code

The following permissions allow or deny actions on code committed to AWS CodeCommit repositories. These permissions pertain to actions performed with the AWS CodeCommit console and the AWS CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol.

Explicitly denying some of these permissions might result in unexpected consequences in the AWS CodeCommit console. For example, setting GetTree to Deny prevents users from navigating the contents of a repository in the console, but does not block users from viewing the contents of a file in the repository (if they are sent a link to the file in email, for example). Setting GetBlob to Deny prevents users from viewing the contents of files, but does not block users from browsing the structure of a repository. Setting GetCommit to Deny prevents users from retrieving details about commits. Setting GetObjectIdentifier to Deny blocks most of the functionality of code browsing. If you set all three of these actions to Deny in a policy, a user with that policy will not be able to browse code in the AWS CodeCommit console.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit API Operations and Required Permissions for Actions on Committed Code

AWS CodeCommit API Operations Required Permissions (API Actions) Resources

GetBlob

codecommit:GetBlob

Required to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console.

arn:aws:codecommit:region:account-id:repository-name

GetCommit

codecommit:GetCommit

Required to return information about a commit.

arn:aws:codecommit:region:account-id:repository-name

GetCommitHistory

codecommit:GetCommitHistory

Required to return information about the history of commits in a repository. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

GetDifferences

codecommit:GetDifferences

Required to return information about the differences between commit specifiers (such as a branch, tag, HEAD, commit ID, or other fully qualified reference).

arn:aws:codecommit:region:account-id:repository-name

GetObjectIdentifier codecommit:GetObjectIdentifier

Required to resolve blobs, trees, and commits to their identifier. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

GetReferences codecommit:GetReferences

Required to return all references, such as branches and tags. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

GetTree codecommit:GetTree

Required to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

Permissions for Actions on Repositories

The following permissions allow or deny actions on AWS CodeCommit repositories. These permissions pertain to actions performed with the AWS CodeCommit console and the AWS CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit API Operations and Required Permissions for Actions on Repositories

AWS CodeCommit API Operations Required Permissions (API Actions) Resources

BatchGetRepositories

codecommit:BatchGetRepositories

Required to get information about multiple AWS CodeCommit repositories that are in an AWS account. In Resource, you must specify the names of all of the AWS CodeCommit repositories for which a user is allowed (or denied) information.

arn:aws:codecommit:region:account-id:repository-name

CreateRepository

codecommit:CreateRepository

Required to create an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

DeleteRepository

codecommit:DeleteRepository

Required to delete an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

GetRepository

codecommit:GetRepository

Required to get information about a single AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

ListRepositories codecommit:ListRepositories

Required to get a list of the names and system IDs of multiple AWS CodeCommit repositories for an AWS account. The only allowed value for Resource for this action is all repositories (*).

*

UpdateRepositoryDescription codecommit:UpdateRepositoryDescription

Required to change the description of an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

UpdateRepositoryName codecommit:UpdateRepositoryName

Required to change the name of an AWS CodeCommit repository. In Resource, you must specify both the AWS CodeCommit repositories that are allowed to be changed and the new repository names.

arn:aws:codecommit:region:account-id:repository-name

Permissions for Actions on Triggers

The following permissions allow or deny actions on triggers for AWS CodeCommit repositories.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit API Operations and Required Permissions for Actions on Triggers

AWS CodeCommit API Operations Required Permissions (API Actions) Resources

GetRepositoryTriggers

codecommit:GetRepositoryTriggers

Required to return information about triggers configured for a repository.

arn:aws:codecommit:region:account-id:repository-name

PutRepositoryTriggers

codecommit:PutRepositoryTriggers

Required to create, edit, or delete triggers for a repository.

arn:aws:codecommit:region:account-id:repository-name

TestRepositoryTriggers

codecommit:TestRepositoryTriggers

Required to test the functionality of a repository trigger by sending data to the topic or function configured for the trigger.

arn:aws:codecommit:region:account-id:repository-name

Permissions for Actions on AWS CodePipeline Integration

In order for AWS CodePipeline to use an AWS CodeCommit repository in a source action for a pipeline, you must grant all of the permissions listed in the following table to the service role for AWS CodePipeline. If these permissions are not set in the service role or are set to Deny, the pipeline will not run automatically when a change is made to the repository, and changes cannot be released manually.

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

AWS CodeCommit API Operations and Required Permissions for Actions on AWS CodePipeline Integration

AWS CodeCommit API Operations Required Permissions (API Actions) Resources

GetBranch

codecommit:GetBranch

Required to get details about a branch in an AWS CodeCommit repository.

arn:aws:codecommit:region:account-id:repository-name

GetCommit

codecommit:GetCommit

Required to return information about a commit to the service role for AWS CodePipeline.

arn:aws:codecommit:region:account-id:repository-name

UploadArchive

codecommit:UploadArchive

Required to allow the service role for AWS CodePipeline to upload repository changes into a pipeline. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

GetUploadArchiveStatus

codecommit:GetUploadArchiveStatus

Required to determine the status of an archive upload: whether it is in progress, complete, cancelled, or if an error occurred. This is an IAM policy permission only, not an API action that you can call.

arn:aws:codecommit:region:account-id:repository-name

CancelUploadArchive codecommit:CancelUploadArchive

Required to cancel the uploading of an archive to a pipeline. This is an IAM policy permission only, not an API action that can be called.

arn:aws:codecommit:region:account-id:repository-name