Menu
AWS CodeStar
User Guide

AWS CodeStar Access Permissions Reference

AWS CodeStar uses IAM to control which users have access to AWS CodeStar projects and their resources on your behalf. When you add an IAM user to a project in a project role, policies and roles are applied to that user. These policies and roles grant permissions and access to that user based on the project role. You can use the IAM console to create other policies that assign AWS CodeStar and other permissions to an IAM user.

For example, you might want to allow a user to view but not change an AWS CodeStar project. In this case, you add the IAM user to an AWS CodeStar project with the Viewer role. Every AWS CodeStar project has a set of policies that help you control access to the project. In addition, you can control which users have access to AWS CodeStar.

In the Setting Up AWS CodeStar instructions, you attached a policy named AWSCodeStarFullAccess to your IAM user. This policy allows full access to AWS CodeStar. That policy statement looks similar to this:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeStarEC2", "Effect": "Allow", "Action": [ "codestar:*", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": "*" }, { "Sid": "CodeStarCF", "Effect": "Allow", "Action": [ "cloudformation:DescribeStack*", "cloudformation:GetTemplateSummary" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/awscodestar-*" ] } ] }

This policy statement allows the IAM user to perform all available actions in AWS CodeStar with all available AWS CodeStar resources associated with the AWS account. This includes creating and deleting projects. You might not want to give all IAM users this much access. Instead, you can add IAM users to AWS CodeStar project roles. The roles grant specific levels of access to AWS CodeStar projects.

AWS CodeStar Project-Level Policies and Permissions

There are three roles in AWS CodeStar projects: Owner, Contributor, and Viewer. Each role is specific to a project and defined by an IAM managed policy, where project-id is the ID of the AWS CodeStar project (for example, my-first-projec):

  • CodeStar_project-id_Owner

  • CodeStar_project-id_Contributor

  • CodeStar_project-id_Viewer

Important

These policies are subject to change by AWS CodeStar. They should not be modified manually. If you want to add or change permissions, attach additional policies to the IAM user.

When you add a user to a project and choose a role for the user, the appropriate policy is applied automatically to the IAM user. Under most circumstances, you don't need to directly attach or manage policies or permissions in IAM. Manually attaching an AWS CodeStar role policy to an IAM user is not recommended. If absolutely necessary, as a supplement to an AWS CodeStar role policy, you can create your own managed policies to apply your own level of permissions to an IAM user.

Note

The policies for roles in an AWS CodeStar project apply to that project only. This helps ensure that users can only see and interact with the AWS CodeStar projects they have permissions to, at the level determined by their role. Only users who will create AWS CodeStar projects should have a policy applied that allows access to all AWS CodeStar resources, regardless of project.

All AWS CodeStar role policies vary, depending on the AWS resources associated with the project with which the roles are associated. Unlike other AWS services, these policies are customized when the project is created and updated as project resources change. Therefore, there is no one canonical Owner, Contributor, or Viewer managed policy.

AWS CodeStar Owner Role Policy

The CodeStar_project-id_Owner managed policy allows a user to perform all actions in the AWS CodeStar project with no restrictions. This is the only policy that allows a user to add or remove team members. Although the contents of the policy vary, depending on the resources associated with the project, the CodeStar_project-id_Owner managed policy contains the following AWS CodeStar permissions. As an AWS managed policy, it is subject to change without notice.

Copy
"Effect": "Allow", "Action": [ ... "codestar:*", ... ], "Resource": [ "arn:aws:codestar:us-east-2:111111111111:project-id" ]

An IAM user with this policy can perform all AWS CodeStar actions in the project, but unlike an IAM user with the AWSCodeStarFullAccess policy, the user cannot create new projects. The codestar:* permission is limited in scope to a specific resource (the AWS CodeStar project associated with that project ID).

AWS CodeStar Contributor Role Policy

The CodeStar_project-id_Contributor managed policy allows a user to contribute to the project and change the project dashboard, but does not allow a user to add or remove team members. Although the contents of the policy vary, depending on the resources associated with the project, the CodeStar_project-id_Contributor policy contains the following AWS CodeStar permissions. As an AWS managed policy, it is subject to change without notice.

Copy
"Effect": "Allow", "Action": [ ... "codestar:DescribeProject", "codestar:ListTeamMembers", "codestar:*Resource*", ... ], "Resource": [ "arn:aws:codestar:us-east-2:111111111111:project-id" ]

AWS CodeStar Viewer Role Policy

The CodeStar_project-id_Viewer managed policy allows a user to view a project in AWS CodeStar, but not change its resources or add or remove team members. Although the contents of the policy vary, depending on the resources associated with the project, the CodeStar_project-id_Viewer policy contains the following AWS CodeStar permissions. As an AWS managed policy, it is subject to change without notice.

Copy
"Effect": "Allow", "Action": [ ... "codestar:DescribeProject", "codestar:ListResources", "codestar:ListTeamMembers", ... ], "Resource": [ "arn:aws:codestar:us-east-2:111111111111:project-id" ]

AWS CodeStar Service Role Policy and Permissions

AWS CodeStar uses a service role, aws-codestar-service-role, when creating and managing the resources for your project.

Important

You must be signed in as an IAM administrative user or root account in order to create this service role.

This role is created the first time you create a project in AWS CodeStar. The service role acts on your behalf to create the resources you choose when creating a project and to display information about those resources in the AWS CodeStar project dashboard. It also acts on your behalf when you manage the resources for a project. It contains the following policy statement:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ProjectStack", "Effect": "Allow", "Action": [ "cloudformation:*Stack*", "cloudformation:GetTemplate" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/awscodestar-*", "arn:aws:cloudformation:*:*:stack/awseb-*" ] }, { "Sid": "ProjectStackTemplate", "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "cloudformation:DescribeChangeSet" ], "Resource": "*" }, { "Sid": "ProjectQuickstarts", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::awscodestar-*/*" ] }, { "Sid": "ProjectS3Buckets", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::aws-codestar-*", "arn:aws:s3:::aws-codestar-*/*", "arn:aws:s3:::elasticbeanstalk-*", "arn:aws:s3:::elasticbeanstalk-*/*" ] }, { "Sid": "ProjectServices", "Effect": "Allow", "Action": [ "codestar:*Project", "codestar:*Resource*", "codestar:List*", "codestar:Describe*", "codestar:Get*", "codestar:AssociateTeamMember", "codecommit:*", "codepipeline:*", "codedeploy:*", "codebuild:*", "ec2:RunInstances", "autoscaling:*", "cloudwatch:Put*", "ec2:*", "elasticbeanstalk:*", "elasticloadbalancing:*", "iam:ListRoles", "logs:*", "sns:*" ], "Resource": "*" }, { "Sid": "ProjectWorkerRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:PassRole", "iam:PutRolePolicy", "iam:SetDefaultPolicyVersion", "iam:CreatePolicy", "iam:DeletePolicy", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::*:role/CodeStarWorker*", "arn:aws:iam::*:policy/CodeStarWorker*", "arn:aws:iam::*:instance-profile/awscodestar-*" ] }, { "Sid": "ProjectTeamMembers", "Effect": "Allow", "Action": [ "iam:AttachUserPolicy", "iam:DetachUserPolicy" ], "Resource": "*", "Condition": { "ArnEquals": { "iam:PolicyArn": [ "arn:aws:iam::*:policy/CodeStar_*" ] } } }, { "Sid": "ProjectRoles", "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:ListEntitiesForPolicy", "iam:ListPolicyVersions" ], "Resource": [ "arn:aws:iam::*:policy/CodeStar_*" ] }, { "Sid": "InspectServiceRole", "Effect": "Allow", "Action": [ "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/aws-codestar-service-role" ] } ] }

Attach a Policy to an IAM User

When you add a user to a project, AWS CodeStar automatically attaches the managed policy for the project that matches the user's role. You should not manually attach an AWS CodeStar managed policy for a project to an IAM user. With the exception of AWSCodeStarFullAccess, we do not recommend that you attach policies that change an IAM user's permissions in an AWS CodeStar project. If you decide to create and attach your own policies, do the following:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the IAM console, in the navigation pane, choose Users, and then choose the user to which you want to attach additional policies.

  3. On the Permissions tab, choose Add permissions. Choose Attach existing policies directly, select the policy you want to apply, and then choose Attach Policy.

    For example, if you want to add your own customized policy to a user, choose the policy name from the list of policies.

  4. If you do not want to attach an existing policy but instead want to create your own custom policy, on the Permissions tab, choose Add inline policy. Choose Custom Policy, and then choose Select.

    In Policy Name, type a name for this policy. In the Policy Document box, type a policy that follows this format, and then choose Apply Policy:

    Copy
    { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] }, { "Effect" : "Allow", "Action" : [ "action-statement" ], "Resource" : [ "resource-statement" ] } ] }

    In the preceding statement, for action-statement and resource-statement, specify the AWS CodeStar actions and resources the IAM user is allowed to perform or access. (By default, the IAM user does not have permissions unless a corresponding Allow statement is explicitly stated. If you want to specifically deny a permission granted by another policy, such as the policy for an AWS CodeStar role, choose Deny instead of Allow.) You can add statements as needed. The following sections describe the format of allowed actions and resources for AWS CodeStar. Syntax examples are provided in these sections.

Action and Resource Syntax

The following sections describe the format for specifying actions and resources.

Actions follow this general format:

Copy
codestar:action

Where action is an available AWS CodeStar operation, such as ListProjects or AssociateResource. To allow an action, use the "Effect" : "Allow" clause. To explicitly deny an action, use the "Effect" : "Deny" clause. By default, all actions are denied, unless specified otherwise in any other attached policy.

Resources follow this general format:

Copy
arn:aws:codestar:region:account:resource-specifier

Where region is a target region (such as us-east-2), account is the AWS account ID, and resource-specifier is the project ID. Wildcard (*) characters can be used to specify a partial name.

For example, the following specifies the AWS CodeStar project named my-first-projec registered to the AWS account 111111111111 in the region us-east-2:

Copy
arn:aws:codestar:us-east-2:111111111111:project/my-first-projec

The following specifies any AWS CodeStar project that begins with the name my-proj registered to the AWS account 111111111111 in the region us-east-2:

Copy
arn:aws:codestar:us-east-2:111111111111:project/my-proj*

Resource Scoping in AWS CodeStar

Some of the permissions in AWS CodeStar cannot be scoped to a resource, but instead must be scoped to all, or the action will fail.

The following action cannot be scoped. It must be set to *:

  • ListProjects

Projects

Allowed actions include:

  • CreateProject to create an AWS CodeStar project.

  • DeleteProject to delete an AWS CodeStar project.

  • DescribeProject to describe the attributes of an AWS CodeStar project.

  • ListProjects to list all the AWS CodeStar projects.

  • UpdateProject to update the attributes of an AWS CodeStar project.

The following example allows a specified IAM user to edit the attributes of an AWS CodeStar project, such as its project description:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codestar:UpdateProject" ], "Resource" : "arn:aws:codestar:us-east-2:project/my-first-projec" } ] }

Resources

Allowed actions include:

  • ListResources to list all the resources for an AWS CodeStar project.

The following example allows an IAM user who has this policy attached to list resources for a project with the ID my-first-projec:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codestar:ListResources", ], "Resource" : "arn:aws:codestar:us-east-2:project/my-first-projec" } ] }

Teams

Allowed actions include:

  • AssociateTeamMember to add a user to an AWS CodeStar project.

  • DisassociateTeamMember to remove a user from an AWS CodeStar project.

  • ListTeamMembers to list all the users in an AWS CodeStar project.

  • UpdateTeamMember to change the team member's attributes in a AWS CodeStar project (for example, the user's project role).

The following example allows an IAM user who has this policy attached to add team members to an AWS CodeStar project with the project ID my-first-projec, but explicitly denies that user the ability to remove team members:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codestar:AssociateTeamMember", ], "Resource" : "arn:aws:codestar:us-east-2:project/my-first-projec" }, { "Effect" : "Deny", "Action" : [ "codestar:DisassociateTeamMember", ], "Resource" : "arn:aws:codestar:us-east-2:project/my-first-projec" } ] ] }

Users

Allowed actions include:

  • CreateUserProfile to create a user profile in AWS CodeStar. This profile contains data associated with the user, such as a display name, that appears across all AWS CodeStar projects.

  • DeleteUserProfile to delete an AWS CodeStar user profile.

  • DescribeUserProfile to retrieve information about an AWS CodeStar user profile.

  • ListUserProfiles to list all AWS CodeStar user profiles for an AWS account.

  • UpdateUserProfile to update an AWS CodeStar profile for a user.

The following example allows an IAM user who has this policy attached to list all AWS CodeStar user profiles associated with an AWS account:

Copy
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codestar:ListUserProfiles", ], "Resource" : "*" } ] }