AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS CodeCommit

AWS CodeCommit (service prefix: codecommit) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS CodeCommit

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
BatchDescribeMergeConflicts Grants permission to get information about multiple merge conflicts when attempting to merge two commits using either the three-way merge or the squash merge option Read

repository*

BatchGetPullRequests [permission only] Grants permission to return information about one or more pull requests in an AWS CodeCommit repository Read

repository*

BatchGetRepositories Grants permission to get information about multiple repositories Read

repository*

CancelUploadArchive [permission only] Grants permission to cancel the uploading of an archive to a pipeline in AWS CodePipeline Read

repository*

CreateBranch Grants permission to create a branch in an AWS CodeCommit repository with this API; does not control Git create branch actions Write

repository*

codecommit:References

CreateCommit Grants permission to add, copy, move or update single or multiple files in a branch in an AWS CodeCommit repository, and generate a commit for the changes in the specified branch. Write

repository*

codecommit:References

CreatePullRequest Grants permission to create a pull request in the specified repository Write

repository*

CreateRepository Grants permission to create an AWS CodeCommit repository Write

repository*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUnreferencedMergeCommit Grants permission to create an unreferenced commit that contains the result of merging two commits using either the three-way or the squash merge option; does not control Git merge actions Write

repository*

codecommit:References

DeleteBranch Grants permission to delete a branch in an AWS CodeCommit repository with this API; does not control Git delete branch actions Write

repository*

codecommit:References

DeleteCommentContent Grants permission to delete the content of a comment made on a change, file, or commit in a repository Write

repository*

DeleteFile Grants permission to delete a specified file from a specified branch Write

repository*

codecommit:References

DeleteRepository Grants permission to delete an AWS CodeCommit repository Write

repository*

DescribeMergeConflicts Grants permission to get information about specific merge conflicts when attempting to merge two commits using either the three-way or the squash merge option Read

repository*

DescribePullRequestEvents Grants permission to return information about one or more pull request events Read

repository*

GetBlob Grants permission to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console Read

repository*

GetBranch Grants permission to get details about a branch in an AWS CodeCommit repository with this API; does not control Git branch actions Read

repository*

GetComment Grants permission to get the content of a comment made on a change, file, or commit in a repository Read

repository*

GetCommentsForComparedCommit Grants permission to get information about comments made on the comparison between two commits Read

repository*

GetCommentsForPullRequest Grants permission to get comments made on a pull request Read

repository*

GetCommit Grants permission to return information about a commit, including commit message and committer information, with this API; does not control Git log actions Read

repository*

GetCommitHistory [permission only] Grants permission to get information about the history of commits in a repository Read

repository*

GetCommitsFromMergeBase [permission only] Grants permission to get information about the difference between commits in the context of a potential merge Read

repository*

GetDifferences Grants permission to view information about the differences between valid commit specifiers such as a branch, tag, HEAD, commit ID, or other fully qualified reference Read

repository*

GetFile Grants permission to return the base-64 encoded contents of a specified file and its metadata Read

repository*

GetFolder Grants permission to return the contents of a specified folder in a repository Read

repository*

GetMergeCommit Grants permission to get information about a merge commit created by one of the merge options for pull requests that creates merge commits. Not all merge options create merge commits. This permission does not control Git merge actions Read

repository*

codecommit:References

GetMergeConflicts Grants permission to get information about merge conflicts between the before and after commit IDs for a pull request in a repository Read

repository*

GetMergeOptions Grants permission to get information about merge options for pull requests that can be used to merge two commits; does not control Git merge actions Read

repository*

GetObjectIdentifier [permission only] Grants permission to resolve blobs, trees, and commits to their identifier Read

repository*

GetPullRequest Grants permission to get information about a pull request in a specified repository Read

repository*

GetReferences [permission only] Grants permission to get details about references in an AWS CodeCommit repository; does not control Git reference actions Read

repository*

GetRepository Grants permission to get information about an AWS CodeCommit repository Read

repository*

GetRepositoryTriggers Grants permission to get information about triggers configured for a repository Read

repository*

GetTree [permission only] Grants permission to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console Read

repository*

GetUploadArchiveStatus [permission only] Grants permission to get status information about an archive upload to a pipeline in AWS CodePipeline Read

repository*

GitPull [permission only] Grants permission to pull information from an AWS CodeCommit repository to a local repo Read

repository*

GitPush [permission only] Grants permission to push information from a local repo to an AWS CodeCommit repository Write

repository*

codecommit:References

ListBranches Grants permission to list branches for an AWS CodeCommit repository with this API; does not control Git branch actions List

repository*

ListPullRequests Grants permission to list pull requests for a specified repository List

repository*

ListRepositories Grants permission to list information about AWS CodeCommit repositories in the current Region for your AWS account List
ListTagsForResource Grants permission to list the resource attached to a CodeCommit resource ARN List

repository

MergeBranchesByFastForward Grants permission to merge two commits into the specified destination branch using the fast-forward merge option Write

repository*

codecommit:References

MergeBranchesBySquash Grants permission to merge two commits into the specified destination branch using the squash merge option Write

repository*

codecommit:References

MergeBranchesByThreeWay Grants permission to merge two commits into the specified destination branch using the three-way merge option Write

repository*

codecommit:References

MergePullRequestByFastForward Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the fast-forward merge option Write

repository*

codecommit:References

MergePullRequestBySquash Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the squash merge option Write

repository*

codecommit:References

MergePullRequestByThreeWay Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the three-way merge option Write

repository*

codecommit:References

PostCommentForComparedCommit Grants permission to post a comment on the comparison between two commits Write

repository*

PostCommentForPullRequest Grants permission to post a comment on a pull request Write

repository*

PostCommentReply Grants permission to post a comment in reply to a comment on a comparison between commits or a pull request Write

repository*

PutFile Grants permission to add or update a file in a branch in an AWS CodeCommit repository, and generate a commit for the addition in the specified branch Write

repository*

codecommit:References

PutRepositoryTriggers Grants permission to create, update, or delete triggers for a repository Write

repository*

TagResource Grants permission to attach resource tags to a CodeCommit resource ARN Write

repository

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

TestRepositoryTriggers Grants permission to test the functionality of repository triggers by sending information to the trigger target Write

repository*

UntagResource Grants permission to disassociate resource tags from a CodeCommit resource ARN Write

repository

aws:TagKeys

UpdateComment Grants permission to update the contents of a comment if the identity matches the identity used to create the comment Write

repository*

UpdateDefaultBranch Grants permission to change the default branch in an AWS CodeCommit repository Write

repository*

UpdatePullRequestDescription Grants permission to update the description of a pull request Write

repository*

UpdatePullRequestStatus Grants permission to update the status of a pull request Write

repository*

UpdatePullRequestTitle Grants permission to update the title of a pull request Write

repository*

UpdateRepositoryDescription Grants permission to change the description of an AWS CodeCommit repository Write

repository*

UpdateRepositoryName Grants permission to change the name of an AWS CodeCommit repository Write

repository*

UploadArchive [permission only] Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline Write

repository*

Resources Defined by AWS CodeCommit

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
repository arn:${Partition}:codecommit:${Region}:${Account}:${RepositoryName}

aws:ResourceTag/${TagKey}

Condition Keys for AWS CodeCommit

AWS CodeCommit defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
codecommit:References Filters access by Git reference to specified AWS CodeCommit actions String