Domain policies
CodeArtifact supports using resource-based permissions to control access. Resource-based permissions let you specify who has access to a resource and which actions they can perform on it. By default, only the AWS account that owns the domain can create and access repositories in the domain. You can apply a policy document to a domain to allow other IAM principals to access it.
For more information, see Policies and Permissions and Identity-Based Policies and Resource-Based Policies.
Topics
Enable cross-account access to a domain
A resource policy is a text file in JSON format. The file must specify a principal
(actor), one or more actions, and an effect (Allow
or Deny
).
To create a repository in a domain owned by another account, the principal must be
granted the CreateRepository
permission on the domain
resource.
For example, the following resource policy grants the account 123456789012
permission to create a repository in the domain.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeartifact:CreateRepository" ], "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
123456789012
:root" }, "Resource": "*" } ] }
To allow creating repositories with tags, you must include the codeartifact:TagResource
permission.
This will also give the account access to add tags to the domain and all repositories in it.
The domain policy is evaluated for all operations against the domain and all resources within the domain.
This means the domain policy may be used to apply permissions to repositories and packages in the domain. When the
Resource
element is set to *
, then the statement applies to all resources in the domain. For example, if the policy above
also included codeartifact:DescribeRepository
in the list of allowed IAM actions, then the policy would allow calling
DescribeRepository
on every repository in the domain. A domain policy may be used to apply permissions to specific resources
in the domain by using specific resource ARNs in the Resource
element.
Note
Both domain and repository policies may be used to configure permissions. When both policies are present, then both policies will be evaluated and an action is allowed if allowed by either policy. For more information, see Interaction between repository and domain policies.
To access packages in a domain owned by another account, a principal must be granted
the GetAuthorizationToken
permission on the domain
resource. This allows the domain owner to exercise control over which
accounts can read the contents of repositories in the domain.
For example, the following resource policy grants the account 123456789012
permission to retrieve an auth token for any repository in the domain.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeartifact:GetAuthorizationToken" ], "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
123456789012
:root" }, "Resource": "*" } ] }
Note
A principal who wants to fetch packages from a repository endpoint must be granted
the ReadFromRepository
permission on the repository resource in
addition to the GetAuthorizationToken
permission on the domain.
Similarly, a principal who wants to publish packages to a repository endpoint must
be granted the PublishPackageVersion
permission in addition to
GetAuthorizationToken
.
For more information about the ReadFromRepository
and
PublishPackageVersion
permissions, see Repository Policies.
Domain policy example
When multiple accounts are using a domain, the accounts should be granted a basic set of permissions to allow full use of the domain. The following resource policy lists a set of permissions that allow full use of the domain.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BasicDomainPolicy", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:DescribeDomain", "codeartifact:CreateRepository" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::
123456789012
:root" } } ] }
Note
You don't need to create a domain policy if a domain and all its repositories are owned by a single account and only need to be used from that account.
Domain policy example with AWS Organizations
You can use the aws:PrincipalOrgID
condition key to grant access to an
CodeArtifact domain from all accounts in your organization, as follows.
{ "Version": "2012-10-17", "Statement": { "Sid": "DomainPolicyForOrganization", "Effect": "Allow", "Principal": "*", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:DescribeDomain", "codeartifact:CreateRepository" ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID":["o-xxxxxxxxxxx"]} } } }
For more information about using the aws:PrincipalOrgID
condition key,
see AWS Global Condition Context Keys in the IAM User
Guide.
Set a domain policy
You can use the put-domain-permissions-policy
command to attach a policy
to a domain.
aws codeartifact put-domain-permissions-policy --domain
my_domain
--domain-owner111122223333
\ --policy-documentfile://</PATH/TO/policy.json>
When you call put-domains-permissions-policy
, the resource policy on the domain is ignored when evaluting permissions. This ensures
that the owner of a domain cannot lock themselves out of the domain, which would prevent them from being able to update the resource policy.
Note
You cannot grant permissions to another AWS account to update the resource policy on a domain using a resource policy, since the resource policy is ignored when calling put-domain-permissions-policy.
Sample output:
{ "policy": { "resourceArn": "arn:aws:codeartifact:
region-id
:111122223333
:domain/my_domain
", "document": "{ ...policy document content...}
", "revision": "MQlyyTQRASRU3HB58gBtSDHXG7Q3hvxxxxxxx=
" } }
The output of the command contains the Amazon Resource Name (ARN) of the domain
resource, the full contents of the policy document, and a revision identifier. The
revision identifier can be passed to put-domain-permissions-policy
using
the --policy-revision
option. This ensures that a known revision of the
document is being overwritten, and not a newer version set by another writer.
Read a domain policy
To read an existing version of a policy document, use the
get-domain-permissions-policy
command. To format the output for
readability, use the --output
and --query policy.document
together with the Python json.tool
module, as follows.
aws codeartifact get-domain-permissions-policy --domain
my_domain
--domain-owner111122223333
\ --output text --query policy.document | python -mjson.tool
Sample output:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BasicDomainPolicy", "Action": [ "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:GetAuthorizationToken", "codeartifact:CreateRepository" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": "arn:aws:iam::
111122223333
:root" } } ] }
Delete a domain policy
Use the delete-domain-permissions-policy
command to delete a policy from
a domain.
aws codeartifact delete-domain-permissions-policy --domain
my_domain
--domain-owner111122223333
The format of the output is the same as that of the
get-domain-permissions-policy
and
delete-domain-permissions-policy
commands.