AWS managed policies for AWS CodePipeline
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
Important
The AWS managed policies AWSCodePipelineFullAccess
and
AWSCodePipelineReadOnlyAccess
have been replaced. Use the
and AWSCodePipeline_FullAccess
policies.AWSCodePipeline_ReadOnlyAccess
AWS managed
policy: AWSCodePipeline_FullAccess
This is a policy that grants full access to CodePipeline. To view the JSON policy
document in the IAM console, see AWSCodePipeline_FullAccess
Permissions details
This policy includes the following permissions.
-
codepipeline
– Grants permissions to CodePipeline. -
chatbot
– Grants permissions to allow principals to manage resources in AWS Chatbot. -
cloudformation
– Grants permissions to allow principals to manage resource stacks in AWS CloudFormation. -
cloudtrail
– Grants permissions to allow principals to manage logging resources in CloudTrail. -
codebuild
– Grants permissions to allow principals to access build resources in CodeBuild. -
codecommit
– Grants permissions to allow principals to access source resources in CodeCommit. -
codedeploy
– Grants permissions to allow principals to access deployment resources in CodeDeploy. -
codestar-notifications
– Grants permissions to allow principals to access resources in AWS CodeStar Notifications. -
ec2
– Grants permissions to allow deployments in CodeCatalyst to manage elastic load balancing in Amazon EC2. -
ecr
– Grants permissions to allow access to resources in Amazon ECR. -
elasticbeanstalk
– Grants permissions to allow principals to access resources in Elastic Beanstalk. -
iam
– Grants permissions to allow principals to manage roles and policies in IAM. -
lambda
– Grants permissions to allow principals to manage resources in Lambda. -
events
– Grants permissions to allow principals to manage resources in CloudWatch Events. -
opsworks
– Grants permissions to allow principals to manage resources in AWS OpsWorks. -
s3
– Grants permissions to allow principals to manage resources in Amazon S3. -
sns
– Grants permissions to allow principals to manage notification resources in Amazon SNS. -
states
– Grants permissions to allow principals to view state machines in AWS Step Functions. A state machine consists of a collection of states that manage tasks and transition between states.
{ "Statement": [ { "Action": [ "codepipeline:*", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:ListChangeSets", "cloudtrail:DescribeTrails", "codebuild:BatchGetProjects", "codebuild:CreateProject", "codebuild:ListCuratedEnvironmentImages", "codebuild:ListProjects", "codecommit:ListBranches", "codecommit:GetReferences", "codecommit:ListRepositories", "codedeploy:BatchGetDeploymentGroups", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ecr:DescribeRepositories", "ecr:ListImages", "ecs:ListClusters", "ecs:ListServices", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeEnvironments", "iam:ListRoles", "iam:GetRole", "lambda:ListFunctions", "events:ListRules", "events:ListTargetsByRule", "events:DescribeRule", "opsworks:DescribeApps", "opsworks:DescribeLayers", "opsworks:DescribeStacks", "s3:ListAllMyBuckets", "sns:ListTopics", "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes", "states:ListStateMachines" ], "Effect": "Allow", "Resource": "*", "Sid": "CodePipelineAuthoringAccess" }, { "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketPolicy", "s3:GetBucketVersioning", "s3:GetObjectVersion", "s3:CreateBucket", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": "arn:aws:s3::*:codepipeline-*", "Sid": "CodePipelineArtifactsReadWriteAccess" }, { "Action": [ "cloudtrail:PutEventSelectors", "cloudtrail:CreateTrail", "cloudtrail:GetEventSelectors", "cloudtrail:StartLogging" ], "Effect": "Allow", "Resource": "arn:aws:cloudtrail:*:*:trail/codepipeline-source-trail", "Sid": "CodePipelineSourceTrailReadWriteAccess" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/service-role/cwe-role-*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "events.amazonaws.com" ] } }, "Sid": "EventsIAMPassRole" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "codepipeline.amazonaws.com" ] } }, "Sid": "CodePipelineIAMPassRole" }, { "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:DisableRule", "events:RemoveTargets" ], "Effect": "Allow", "Resource": [ "arn:aws:events:*:*:rule/codepipeline-*" ], "Sid": "CodePipelineEventsReadWriteAccess" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codepipeline:*" } } }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" } ], "Version": "2012-10-17" }
AWS managed policy: AWSCodePipeline_ReadOnlyAccess
This is a policy that grants read-only access to CodePipeline. To view the JSON
policy document in the IAM console, see AWSCodePipeline_ReadOnlyAccess
Permissions details
This policy includes the following permissions.
-
codepipeline
– Grants permissions to actions in CodePipeline. -
codestar-notifications
– Grants permissions to allow principals to access resources in AWS CodeStar Notifications. -
s3
– Grants permissions to allow principals to manage resources in Amazon S3. -
sns
– Grants permissions to allow principals to manage notification resources in Amazon SNS.
{ "Statement": [ { "Action": [ "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:GetPipelineExecution", "codepipeline:ListPipelineExecutions", "codepipeline:ListActionExecutions", "codepipeline:ListActionTypes", "codepipeline:ListPipelines", "codepipeline:ListTagsForResource", "s3:ListAllMyBuckets", "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketPolicy" ], "Effect": "Allow", "Resource": "arn:aws:s3::*:codepipeline-*" }, { "Sid": "CodeStarNotificationsReadOnlyAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codepipeline:*" } } } ], "Version": "2012-10-17" }
AWS managed policy:
AWSCodePipelineApproverAccess
This is a policy that grants permission to approve or reject a manual approval action.
To view the JSON policy document in the IAM console, see AWSCodePipelineApproverAccess
Permissions details
This policy includes the following permissions.
-
codepipeline
– Grants permissions to actions in CodePipeline.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:GetPipelineExecution", "codepipeline:ListPipelineExecutions", "codepipeline:ListPipelines", "codepipeline:PutApprovalResult" ], "Effect": "Allow", "Resource": "*" } ] }
AWS managed policy: AWSCodePipelineCustomActionAccess
This is a policy that grants permission to to create custom actions in CodePipeline
or integrate Jenkins resources for build or test actions. To view the JSON policy
document in the IAM console, see AWSCodePipelineCustomActionAccess
Permissions details
This policy includes the following permissions.
-
codepipeline
– Grants permissions to actions in CodePipeline.
{ "Statement": [ { "Action": [ "codepipeline:AcknowledgeJob", "codepipeline:GetJobDetails", "codepipeline:PollForJobs", "codepipeline:PutJobFailureResult", "codepipeline:PutJobSuccessResult" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
CodePipeline managed policies and notifications
CodePipeline supports notifications, which can notify users of important changes to pipelines. Managed policies for CodePipeline include policy statements for notification functionality. For more information, see What are notifications?.
Permissions related to notifications in full access managed policies
This managed policy grants permissions for CodePipeline along with the related services CodeCommit, CodeBuild, CodeDeploy, and AWS CodeStar Notifications. The policy also grants permissions that you need for working with other services that integrate with your pipelines, such as Amazon S3, Elastic Beanstalk, CloudTrail, Amazon EC2, and AWS CloudFormation. Users with this managed policy applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, list topics to choose as targets for notification rules, and list AWS Chatbot clients configured for Slack.
The AWSCodePipeline_FullAccess
managed policy includes the following
statements to allow full access to notifications.
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codepipeline:us-west-2:111222333444:MyFirstPipeline"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }
Permissions related to notifications in read-only managed policies
The
AWSCodePipeline_ReadOnlyAccess
managed policy includes the following
statements to allow read-only access to notifications. Users with this policy applied
can view notifications for resources, but cannot create, manage, or subscribe to them.
{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codepipeline:us-west-2:111222333444:MyFirstPipeline"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }
For more information about IAM and notifications, see Identity and Access Management for AWS CodeStar Notifications.
AWS CodePipeline updates to AWS managed policies
View details about updates to AWS managed policies for CodePipeline since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CodePipeline Document history page.
Change | Description | Date |
---|---|---|
AWSCodePipeline_FullAccess – Updates to existing policy | CodePipeline added a permission to this policy to support
ListStacks in AWS CloudFormation. |
March 15, 2024 |
AWSCodePipeline_FullAccess – Updates to existing policy | This policy was updated to add permissions for AWS Chatbot. For more information, see CodePipeline managed policies and notifications. | June 21, 2023 |
AWSCodePipeline_FullAccess and AWSCodePipeline_ReadOnlyAccess managed policies – Updates to existing policy |
CodePipeline added a permission to these policies to support an
additional notification type using AWS Chatbot,
|
May 16, 2023 |
AWSCodePipelineFullAccess – Deprecated |
This policy has been replaced by After November 17, 2022, this policy can not be attached to any new users, groups, or roles. For more information, see AWS managed policies for AWS CodePipeline. |
November 17, 2022 |
AWSCodePipelineReadOnlyAccess – Deprecated |
This policy has been replaced by After November 17, 2022, this policy can not be attached to any new users, groups, or roles. For more information, see AWS managed policies for AWS CodePipeline. |
November 17, 2022 |
CodePipeline started tracking changes |
CodePipeline started tracking changes for its AWS managed policies. |
March 12, 2021 |