Using tags to control access to CodePipeline resources

Conditions in IAM policy statements are part of the syntax that you use to specify permissions to resources required by CodePipeline actions. Using tags in conditions is one way to control access to resources and requests. For information about tagging CodePipeline resources, see Tagging resources. This topic discusses tag-based access control.

When you design IAM policies, you might be setting granular permissions by granting access to specific resources. As the number of resources that you manage grows, this task becomes more difficult. Tagging resources and using tags in policy statement conditions can make this task easier. You grant access in bulk to any resource with a certain tag. Then you repeatedly apply this tag to relevant resources, during creation or later.

Tags can be attached to the resource or passed in the request to services that support tagging. In CodePipeline, resources can have tags, and some actions can include tags. When you create an IAM policy, you can use tag condition keys to control:

Which users can perform actions on a pipeline resource, based on tags that it already has.
Which tags can be passed in an action's request.
Whether specific tag keys can be used in a request.

String condition operators let you construct Condition elements that restrict access based on comparing a key to a string value. You can add IfExists to the end of any condition operator name except the Null condition. You do this to say "If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true." For example, you can use StringEqualsIfExists to restrict by condition keys that might not be present on other types of resources.

For the complete syntax and semantics of tag condition keys, see Controlling Access Using Tags. For additional information about condition keys, see the following resources. The CodePipeline policy examples in this section align with the following information about condition keys and expand on it with examples of nuances for CodePipeline such as nesting of resources.

The following examples demonstrate how to specify tag conditions in policies for CodePipeline users.

Example 1: Limit actions based on tags in the request

The AWSCodePipeline_FullAccess managed user policy gives users unlimited permission to perform any CodePipeline action on any resource.

The following policy limits this power and denies unauthorized users permission to create pipelines where specific tags are listed in the request. To do that, it denies the CreatePipeline action if the request specifies a tag named Project with one of the values ProjectA or ProjectB. (The aws:RequestTag condition key is used to control which tags can be passed in an IAM request.)

In the following example, the intent of the policy is to deny unauthorized users permission to create a pipeline with the tag values specified. However, creating a pipeline requires accessing resources in addition to the pipeline itself (for example, pipeline actions and stages). Because the 'Resource' specified in the policy is '*', the policy is evaluated against every resource that has an ARN and is created when the pipeline is being created. These additional resources do not have the tag condition key, so the StringEquals check fails, and the user is not granted the ability to create any pipeline. To address this, use the StringEqualsIfExists condition operator instead. This way, the test only happens if the condition key exists.

You could read the following as: "If the resource being checked has a tag "RequestTag/Project" condition key, then allow the action only if the key value begins with projectA. If the resource being checked does not have that condition key, then don't worry about it."

In addition, the policy prevents these unauthorized users from tampering with the resources by using the aws:TagKeys condition key to not allow tag modification actions to include these same tag values. A customer's administrator must attach this IAM policy to unauthorized administrative users, in addition to the managed user policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "codepipeline:CreatePipeline",
        "codepipeline:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEqualsIfExists": {
          "aws:RequestTag/Project": ["ProjectA", "ProjectB"]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "codepipeline:UntagResource"
      ],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "aws:TagKeys": ["Project"]
        }
      }
    }
  ]
}

Example 2: Limit tagging actions based on resource tags

The AWSCodePipeline_FullAccess managed user policy gives users unlimited permission to perform any CodePipeline action on any resource.

The following policy limits this power and denies unauthorized users permission to perform actions on specified project pipelines. To do that, it denies some actions if the resource has a tag named Project with one of the values ProjectA or ProjectB. (The aws:ResourceTag condition key is used to control access to the resources based on the tags on those resources.) A customer's administrator must attach this IAM policy to unauthorized IAM users, in addition to the managed user policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "codepipeline:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Project": ["ProjectA", "ProjectB"]
        }
      }
    }
  ]
}

Example 3: Allow actions based on tags in the request

The following policy grants users permission to create development pipelines in CodePipeline.

To do that, it allows the CreatePipeline and TagResource actions if the request specifies a tag named Project with the value ProjectA. In other words, the only tag key which can be specified is Project, and its value must be ProjectA.

The aws:RequestTag condition key is used to control which tags can be passed in an IAM request. The aws:TagKeys condition ensures tag key case sensitivity. This policy is useful for users or roles who don't have the AWSCodePipeline_FullAccess managed user policy attached. The managed policy gives users unlimited permission to perform any CodePipeline action on any resource.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codepipeline:CreatePipeline",
        "codepipeline:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Project": "ProjectA"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": ["Project"]
        }
      }
    }
  ]
}

Example 4: Limit untagging actions based on resource tags

The AWSCodePipeline_FullAccess managed user policy gives users unlimited permission to perform any CodePipeline action on any resource.

Also, the policy prevents these unauthorized users from tampering with the resources by using the aws:TagKeys condition key to not allow tag modification actions to completely remove the Project tag. A customer's administrator must attach this IAM policy to unauthorized users or roles, in addition to the managed user policy.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "codepipeline:UntagResource"
      ],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "aws:TagKeys": ["Project"]
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policies (IAM) examples

Permissions required to use the CodePipeline console