Using tags to control access to CodeArtifact resources
Conditions in IAM user policy statements are part of the syntax that you use to specify permissions to resources required by CodeArtifact actions. Using tags in conditions is one way to control access to resources and requests. For information about tagging CodeArtifact resources, see Tagging resources. This topic discusses tag-based access control.
When you design IAM policies, you might be setting granular permissions by granting access to specific resources. As the number of resources that you manage grows, this task becomes more difficult. Tagging resources and using tags in policy statement conditions can make this task easier. You grant access in bulk to any resource with a certain tag. Then you repeatedly apply this tag to relevant resources, during creation or later.
Tags can be attached to the resource or passed in the request to services that support tagging. In CodeArtifact, resources can have tags, and some actions can include tags. When you create an IAM policy, you can use tag condition keys to control:
-
Which users can perform actions on a domain or repository resource, based on tags that it already has.
-
Which tags can be passed in an action's request.
-
Whether specific tag keys can be used in a request.
For the complete syntax and semantics of tag condition keys, see Controlling Access Using Tags in the IAM User Guide.
Important
When using tags on resources to limit actions, the tags must be on the resource in which the action operates on. For example,
to deny DescribeRepository permissions with tags, the tags must be on each repository and not the domain. See
AWS CodeArtifact permissions
reference for a list of
actions in CodeArtifact and which resources they operate on.
Tag-based access control examples
The following examples demonstrate how to specify tag conditions in policies for CodeArtifact users.
Example 1: Limit actions based on tags in the request
The AWSCodeArtifactAdminAccess managed user policy gives users
unlimited permission to perform any CodeArtifact action on any resource.
The following policy limits this power and denies unauthorized users
permission to create repositories unless the request contains certain tags. To do that, it denies the
CreateRepository action if the request does not specify a tag named
costcenter with one of the values 1 or
2. A customer's administrator must attach this IAM
policy to unauthorized IAM users, in addition to the managed user policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "codeartifact:CreateRepository", "Resource": "*", "Condition": { "Null": { "aws:RequestTag/costcenter": "true" } } }, { "Effect": "Deny", "Action": "codeartifact:CreateRepository", "Resource": "*", "Condition": { "ForAnyValue:StringNotEquals": { "aws:RequestTag/costcenter": [ "1", "2" ] } } } ] }
Example 2: Limit actions based on resource tags
The AWSCodeArtifactAdminAccess managed user policy gives users
unlimited permission to perform any CodeArtifact action on any resource.
The following policy limits this power and denies unauthorized users
permission to perform actions on repositories in specified domains. To do that, it
denies some actions if the resource has a tag named Key1 with
one of the values Value1 or Value2. (The
aws:ResourceTag condition key is used to control access to the
resources based on the tags on those resources.) A customer's administrator must
attach this IAM policy to unauthorized IAM users, in addition to the managed
user policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codeartifact:TagResource", "codeartifact:UntagResource", "codeartifact:DescribeDomain", "codeartifact:DescribeRepository", "codeartifact:PutDomainPermissionsPolicy", "codeartifact:PutRepositoryPermissionsPolicy", "codeartifact:ListRepositoriesInDomain", "codeartifact:UpdateRepository", "codeartifact:ReadFromRepository", "codeartifact:ListPackages", "codeartifact:ListTagsForResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Key1": ["Value1", "Value2"] } } } ] }
Example 3: Allow actions based on resource tags
The following policy grants users permission to perform actions on, and get information about, repositories and packages in CodeArtifact.
To do that, it allows specific actions if the repository has a tag named
Key1 with the value Value1. (The
aws:RequestTag condition key is used to control which tags can
be passed in an IAM request.) The aws:TagKeys condition ensures tag
key case sensitivity. This policy is useful for IAM users who don't have the
AWSCodeArtifactAdminAccess managed user policy attached. The
managed policy gives users unlimited permission to perform any CodeArtifact action on
any resource.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codeartifact:UpdateRepository", "codeartifact:DeleteRepository", "codeartifact:ListPackages" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Key1": "Value1" } } } ] }
Example 4: Allow actions based on tags in the request
The following policy grants users permission to create repositories in specified domains in CodeArtifact.
To do that, it allows the CreateRepository and
TagResource actions if the create resource API in the request specifies a tag named
Key1 with the value Value1. (The
aws:RequestTag condition key is used to control which tags can
be passed in an IAM request.) The aws:TagKeys condition ensures tag
key case sensitivity. This policy is useful for IAM users who don't have the
AWSCodeArtifactAdminAccess managed user policy attached. The
managed policy gives users unlimited permission to perform any CodeArtifact action on
any resource.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codeartifact:CreateRepository", "codeartifact:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/Key1": "Value1" } } } ] }
