Step 1: Create a policy for repository access in AccountA Step 2: Create a role for repository access in AccountA

Cross-account repository access: Actions for the administrator in AccountA

To allow users or groups in AccountB to access a repository in AccountA, an AccountA administrator must:

Create a policy in AccountA that grants access to the repository.
Create a role in AccountA that can be assumed by IAM users and groups in AccountB.
Attach the policy to the role.

The following sections provide steps and examples.

Topics

Step 1: Create a policy for repository access in AccountA
Step 2: Create a role for repository access in AccountA

Step 1: Create a policy for repository access in AccountA

You can create a policy in AccountA that grants access to the repository in AccountB. Depending on the level of access you want to allow, do one of the following:

Configure the policy to allow AccountB users access to a specific repository, but do not allow them to view a list of all repositories in AccountA.
Configure additional access to allow AccountB users to choose the repository from a list of all repositories in AccountA.

To create a policy for repository access

Sign in to the AWS Management Console as an IAM user with permissions to create policies in AccountA.
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies.
Choose Create policy.

Choose the JSON tab, and paste the following JSON policy document into the JSON text box. Replace us-east-2 with the AWS Region for the repository, 111122223333 with the account ID for AccountA, and MySharedDemoRepo with the name for your CodeCommit repository in AccountA:


{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "codecommit:BatchGet*",
            "codecommit:Create*",
            "codecommit:DeleteBranch",
            "codecommit:Get*",
            "codecommit:List*",
            "codecommit:Describe*",
            "codecommit:Put*",
            "codecommit:Post*",
            "codecommit:Merge*",
            "codecommit:Test*",
            "codecommit:Update*",
            "codecommit:GitPull",
            "codecommit:GitPush"
        ],
        "Resource": [
            "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
        ]
    }
]
}

If you want users who assume this role to be able to view a list of repositories on the CodeCommit console home page, add an additional statement to the policy, as follows:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:BatchGet*",
                "codecommit:Create*",
                "codecommit:DeleteBranch",
                "codecommit:Get*",
                "codecommit:List*",
                "codecommit:Describe*",
                "codecommit:Put*",
                "codecommit:Post*",
                "codecommit:Merge*",
                "codecommit:Test*",
                "codecommit:Update*",
                "codecommit:GitPull",
                "codecommit:GitPush"
            ],
            "Resource": [
                "arn:aws:codecommit:us-east-2:111122223333:MySharedDemoRepo"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "codecommit:ListRepositories",
            "Resource": "*"
        }
    ]
}

This access makes it easier for users who assume this role with this policy to find the repository to which they have access. They can choose the name of the repository from the list and be directed to the home page of the shared repository (Code). Users cannot access any of the other repositories they see in the list, but they can view the repositories in AccountA on the Dashboard page.

If you do not want to allow users who assume the role to be able to view a list of all repositories in AccountA, use the first policy example, but make sure that you send those users a direct link to the home page of the shared repository in the CodeCommit console.

Choose Review policy. The policy validator reports syntax errors (for example, if you forget to replace the example Amazon Web Services account ID and repository name with your Amazon Web Services account ID and repository name).
On the Review policy page, enter a name for the policy (for example, CrossAccountAccessForMySharedDemoRepo). You can also provide an optional description for this policy. Choose Create policy.

Step 2: Create a role for repository access in AccountA

After you have configured a policy, create a role that IAM users and groups in AccountB can assume, and attach the policy to that role.

To create a role for repository access

In the IAM console, choose Roles.
Choose Create role.
Choose Another Amazon Web Services account.
In Account ID, enter the Amazon Web Services account ID for AccountB (for example, 888888888888). Choose Next: Permissions.
In Attach permissions policies, select the policy you created in the previous procedure (CrossAccountAccessForMySharedDemoRepo). Choose Next: Review.
In Role name, enter a name for the role (for example, MyCrossAccountRepositoryContributorRole). You can also enter an optional description to help others understand the purpose of the role.
Choose Create role.
Open the role you just created, and copy the role ARN (for example, arn:aws:iam::111122223333:role/MyCrossAccountRepositoryContributorRole). You need to provide this ARN to the AccountB administrator.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure cross-account access to a repository using roles

Cross-account repository access: Actions for the administrator in AccountB