AWS CodeArtifact permissions reference - CodeArtifact

AWS CodeArtifact permissions reference

You can use the following table as a reference when you are setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies).

You can use AWS-wide condition keys in your AWS CodeArtifact policies to express conditions. For a list, see IAM JSON Policy Elements Reference in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the codeartifact: prefix followed by the API operation name (for example, codeartifact:CreateDomain and codeartifact:AssociateExternalConnection). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "codeartifact:CreateDomain", "codeartifact:AssociateExternalConnection" ]).

Using wildcard characters

You specify an ARN, with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, codeartifact:* specifies all CodeArtifact actions and codeartifact:Describe* specifies all CodeArtifact actions that begin with the word Describe.

CodeArtifact API operations and required permissions for actions
AWS CodeArtifact API operations Required permissions (API actions) Resources
AssociateExternalConnection

codeartifact:AssociateExternalConnection

Required to add an external connection to a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

AssociateWithDownstreamRepository

codeartifact:AssociateWithDownstreamRepository

Required on a repository so it can be added as an upstream repository to downstream repositories.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

CopyPackageVersions

To copy package versions from a source repository to a destination repository:

codeartifact:CopyPackageVersions

Required on the destination repository

codeartifact:ReadFromRepository

Required on the source repository

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

CreateDomain

codeartifact:CreateDomain

Required to create domains.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

CreateRepository

codeartifact:CreateRepository

Required to create repositories.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

DeleteDomain

codeartifact:DeleteDomain

Required to delete domains.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

DeleteDomainPermissionsPolicy

codeartifact:DeleteDomainPermissionsPolicy

Required to delete a domain's resource policy.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

DeletePackageVersions

codeartifact:DeletePackageVersions

Required to delete versions of a package.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

DeleteRepository

codeartifact:DeleteRepository

Required to delete a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

DeleteRepositoryPermissionsPolicy

codeartifact:DeleteRepositoryPermissionsPolicy

Required to delete a repository's resource policy.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

DescribeDomain

codeartifact:DescribeDomain

Required to get information about a domain.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

DescribePackageVersion

codeartifact:DescribePackageVersion

Required to get information about a package version.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

DescribeRepository

codeartifact:DescribeRepository

Required to get information about a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

DisassociateExternalConnection

codeartifact:DisassociateExternalConnection

Required to remove an external connection from a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

DisposePackageVersions

codeartifact:DisposePackageVersions

Required to dispose versions of a package.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

GetAuthorizationToken

codeartifact:GetAuthorizationToken

sts:GetServiceBearerToken

Required to get a temporary authorization token for accessing repositories.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

GetDomainPermissionsPolicy

codeartifact:GetDomainPermissionsPolicy

Required to get a domain resource policy.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

GetPackageVersionAsset

codeartifact:GetPackageVersionAsset

Required to get assets in a package version.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name
GetPackageVersionReadme

codeartifact:GetPackageVersionReadme

Required to get the readme of a package version.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

GetRepositoryEndpoint

codeartifact:GetRepositoryEndpoint

Required to get a repository endpoint.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

GetRepositoryPermissionsPolicy

codeartifact:GetRepositoryPermissionsPolicy

Required to get a repository resource policy.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

ListDomains

codeartifact:ListDomains

Required to return a paginated list of domains in an AWS account.

*

ListPackages

codeartifact:ListPackages

Required to return a paginated list of packages in a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

ListPackageVersionAssets

codeartifact:ListPackageVersionAssets

Required to return a paginated list of assets in a package version.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

ListPackageVersionDependencies

codeartifact:ListPackageVersionDependencies

Required to return a paginated list of a package version's dependencies.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

ListPackageVersions

codeartifact:ListPackageVersions

Required to return a paginated list of package versions in a repository.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

ListRepositories

codeartifact:ListRepositories

Required to return a paginated list of repositories in an AWS account.

*

ListRepositoriesInDomain

codeartifact:ListRepositoriesInDomain

Required to return a paginated list of repositories in a domain.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

ListTagsForResource

codeartifact:ListTagsForResource

Required to list tags for a specified resource.

Resources are optional.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

PublishPackageVersion

codeartifact:PublishPackageVersion

Required to publish a package version to a repository.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

PutDomainPermissionsPolicy

codeartifact:PutDomainPermissionsPolicy

Required to add a resource policy to a domain.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

PutPackageMetadata

codeartifact:PutPackageMetadata

Required to publish Maven package versions to a repository, or to add or remove npm tags from npm package versions.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

PutRepositoryPermissionsPolicy

codeartifact:PutRepositoryPermissionsPolicy

Required to add a resource policy to a repository.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

ReadFromRepository

codeartifact:ReadFromRepository

Required to read from a repository using a package manager client.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

TagResource

codeartifact:TagResource

Required to tag a resource.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

UntagResource

codeartifact:UntagResource

Required to remove a tag from a resource.

arn:aws:codeartifact:region-ID:account-ID:domain/my_domain

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo

UpdatePackageVersionsStatus

codeartifact:UpdatePackageVersionsStatus

Required to change the status of a package version.

arn:aws:codeartifact:region-ID:account-ID:package/my_domain/my_repo/package-format/namespace/package-name

UpdateRepository

codeartifact:UpdateRepository

Required to update a repository's description or upstream connections. See Modify a repository upstream configuration or UpdateRepository in the CodeArtifact API Guide for more information.

arn:aws:codeartifact:region-ID:account-ID:repository/my_domain/my_repo