Domain policies - CodeArtifact

Domain policies

CodeArtifact supports using resource-based permissions to control access. Resource-based permissions let you specify who has access to a resource and which actions they can perform on it. By default, only the AWS account that owns the domain can create and access repositories in the domain. You can apply a policy document to a domain to allow other IAM principals to access it.

For more information, see Policies and Permissions and Identity-Based Policies and Resource-Based Policies.

Enable cross-account access to a domain

A resource policy is a text file in JSON format. The file must specify a principal (actor), one or more actions, and an effect (Allow or Deny). To create a repository in a domain owned by another account, the principal must be granted the CreateRepository permission on the domain resource.

For example, the following resource policy grants the account 123456789012 permission to create a repository in the domain.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeartifact:CreateRepository" ], "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Resource": "*" } ] }

To allow creating repositories with tags, you must include the codeartifact:TagResource permission. This will also give the account access to add tags to the domain and all repositories in it.

Because the policy is evaluated only for operations against the domain it's attached to, you do not need to specify a resource. Because the resource is implied, the Resource can be set to *.

To access packages in a domain owned by another account, a principal must be granted the GetAuthorizationToken permission on the domain resource. This allows the domain owner to exercise control over which accounts can read the contents of repositories in the domain.

For example, the following resource policy grants the account 123456789012 permission to retrieve an auth token for any repository in the domain.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeartifact:GetAuthorizationToken" ], "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Resource": "*" } ] }

A principal who wants to fetch packages from a repository endpoint must be granted the ReadFromRepository permission on the repository resource in addition to the GetAuthorizationToken permission on the domain. Similarly, a principal who wants to publish packages to a repository endpoint must be granted the PublishPackageVersion permission in addition to GetAuthorizationToken.

For more information about the ReadFromRepository and PublishPackageVersion permissions, see Repository Policies.

Domain policy example

When multiple accounts are using a domain, the accounts should be granted a basic set of permissions to allow full use of the domain. The following resource policy lists a set of permissions that allow full use of the domain.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "BasicDomainPolicy", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:DescribeDomain", "codeartifact:CreateRepository" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::123456789012:root" } } ] }

You don't need to create a domain policy if a domain and all its repositories are owned by a single account and only need to be used from that account.

Domain policy example with AWS Organizations

You can use the aws:PrincipalOrgID condition key to grant access to an CodeArtifact domain from all accounts in your organization, as follows.

{ "Version": "2012-10-17", "Statement": { "Sid": "DomainPolicyForOrganization", "Effect": "Allow", "Principal": "*", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:DescribeDomain", "codeartifact:CreateRepository" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID":["o-xxxxxxxxxxx"]} } } }

For more information about using the aws:PrincipalOrgID condition key, see AWS Global Condition Context Keys in the IAM User Guide.

Set a domain policy

You can use the put-domain-permissions-policy command to attach a policy to a domain.

aws codeartifact put-domain-permissions-policy --domain my_domain --domain-owner 111122223333 \ --policy-document file://</PATH/TO/policy.json>

When you call put-domains-permissions-policy, the resource policy on the domain is ignored when evaluting permissions. This ensures that the owner of a domain cannot lock themselves out of the domain, which would prevent them from being able to update the resource policy.


You cannot grant permissions to another AWS account to update the resource policy on a domain using a resource policy, since the resource policy is ignored when calling put-domain-permissions-policy.

Sample output:

{ "policy": { "resourceArn": "arn:aws:codeartifact:region-id:111122223333:domain/my_domain", "document": "{ ...policy document content...}", "revision": "MQlyyTQRASRU3HB58gBtSDHXG7Q3hvxxxxxxx=" } }

The output of the command contains the Amazon Resource Name (ARN) of the domain resource, the full contents of the policy document, and a revision identifier. The revision identifier can be passed to put-domain-permissions-policy using the --policy-revision option. This ensures that a known revision of the document is being overwritten, and not a newer version set by another writer.

Read a domain policy

To read an existing version of a policy document, use the get-domain-permissions-policy command. To format the output for readability, use the --output and --query policy.document together with the Python json.tool module, as follows.

aws codeartifact get-domain-permissions-policy --domain my_domain --domain-owner 111122223333 \ --output text --query policy.document | python -m json.tool

Sample output:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "BasicDomainPolicy", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:CreateRepository" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::111122223333:root" } } ] }

Delete a domain policy

Use the delete-domain-permissions-policy command to delete a policy from a domain.

aws codeartifact delete-domain-permissions-policy --domain my_domain --domain-owner 111122223333

The format of the output is the same as that of the get-domain-permissions-policy and delete-domain-permissions-policy commands.