How features in the developer tools console work with IAM - Developer Tools console

How features in the developer tools console work with IAM

Before you use IAM to manage access to features in the Developer Tools console, you should understand which IAM features are available to use with it. To get a high-level view of how notifications and other AWS services work with IAM, see AWS services that work with IAM in the IAM User Guide.

Identity-based policies in the developer tools console

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. AWS CodeStar Notifications and AWS CodeStar Connections support specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.

Actions

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called dependent actions.

Include actions in a policy to grant permissions to perform the associated operation.

Policy actions for notifications in the Developer Tools console use the following prefixes before the action: codestar-notifications and codestar-connections. For example, to grant someone permission to view all notification rules in their account, you include the codestar-notifications:ListNotificationRules action in their policy. Policy statements must include either an Action or NotAction element. AWS CodeStar Notifications and AWS CodeStar Connections defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple AWS CodeStar Notifications actions in a single statement, separate them with commas as follows.

"Action": [ "codestar-notifications:action1", "codestar-notifications:action2"

To specify multiple AWS CodeStar Connections actions in a single statement, separate them with commas as follows.

"Action": [ "codestar-connections:action1", "codestar-connections:action2"

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word List, include the following action.

"Action": "codestar-notifications:List*"

AWS CodeStar Notifications API actions include:

  • CreateNotificationRule

  • DeleteNotificationRule

  • DeleteTarget

  • DescribeNotificationRule

  • ListEventTypes

  • ListNotificationRules

  • ListTagsForResource

  • ListTargets

  • Subscribe

  • TagResource

  • Unsubscribe

  • UntagResource

  • UpdateNotificationRule

AWS CodeStar Connections API actions include the following:

  • CreateConnection

  • DeleteConnection

  • GetConnection

  • ListConnections

  • ListTagsForResource

  • TagResource

  • UntagResource

The following permissions-only actions are required in AWS CodeStar Connections to complete the auth handshake:

  • GetIndividualAccessToken

  • GetInstallationUrl

  • ListInstallationTargets

  • StartOAuthHandshake

  • UpdateConnectionInstallation

The following permissions-only action is required in AWS CodeStar Connections to use a connection:

  • UseConnection

The following permissions-only action is required in AWS CodeStar Connections to pass a connection to a service:

  • PassConnection

To see a list of AWS CodeStar Notifications and AWS CodeStar Connections actions, see Actions Defined by AWS CodeStar Notifications and Actions Defined by AWS CodeStar Connections in the IAM User Guide.

Resources

AWS CodeStar Notifications and AWS CodeStar Connections do not support specifying resource ARNs in a policy.

Condition keys

AWS CodeStar Notifications and AWS CodeStar Connections define their own sets of condition keys and also support using some global condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.

All AWS CodeStar Notifications actions support the codestar-notifications:NotificationsForResource condition key. For more information, see Identity-based policy examples.

AWS CodeStar Connections define the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For more information, see AWS CodeStar Connections permissions reference.

Condition keys Description

codestar-connections:BranchName

Filters access by the third-party repository branch name

codestar-connections:FullRepositoryId

Filters access by the repository that is passed in the request. Applies only to UseConnection requests for access to a specific repository
codestar-connections:InstallationId Filters access by the third-party ID (such as the Bitbucket app installation ID) that is used to update a connection. Allows you to restrict which third-party app installations can be used to make a connection
codestar-connections:OwnerId Filters access by the owner or account ID of the third-party provider

codestar-connections:PassedToService

Filters access by the service to which the principal is allowed to pass a connection

codestar-connections:ProviderAction

Filters access by the provider action in a UseConnection request such as ListRepositories.
codestar-connections:ProviderPermissionsRequired Filters access by the type of third-party provider permissions

codestar-connections:ProviderType

Filters access by the type of third-party provider passed in the request
codestar-connections:ProviderTypeFilter Filters access by the type of third-party provider used to filter results
codestar-connections:RepositoryName Filters access by the third-party repository name

Examples

To view examples of AWS CodeStar Notifications and AWS CodeStar Connections identity-based policies, see Identity-based policy examples.

AWS CodeStar Notifications and AWS CodeStar Connections resource-based policies

AWS CodeStar Notifications and AWS CodeStar Connections do not support resource-based policies.

Authorization based on tags

You can attach tags to AWS CodeStar Notifications and AWS CodeStar Connections resources or pass tags in a request. To control access based on tags, you provide tag information in the condition element of a policy using the codestar-notifications and codestar-connections:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. For more information about tagging strategies, see Tagging AWS resources. For more information about tagging AWS CodeStar Notifications and AWS CodeStar Connections resources, see Tag connections resources.

To view example identity-based policies for limiting access to a resource based on the tags on that resource, see Using tags to control access to AWS CodeStar Connections resources.

IAM roles

An IAM role is an entity within your AWS account that has specific permissions.

Using temporary credentials

You can use temporary credentials to sign in with federation, and assume an IAM role or a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

AWS CodeStar Notifications and AWS CodeStar Connections supports the use of temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.

AWS CodeStar Notifications supports service-linked roles. For details about creating or managing AWS CodeStar Notifications and AWS CodeStar Connections service-linked roles, see Using service-linked roles for AWS CodeStar Notifications.

AWS CodeStar Connections does not support service-linked roles.