Add an IAM Role to a Project - AWS CodeStar

On July 31, 2024, Amazon Web Services (AWS) will discontinue support for creating and viewing AWS CodeStar projects. After July 31, 2024, you will no longer be able to access the AWS CodeStar console or create new projects. However, the AWS resources created by AWS CodeStar, including your source repositories, pipelines, and builds, will be unaffected by this change and will continue to function. AWS CodeStar Connections and AWS CodeStar Notifications will not be impacted by this discontinuation.

 

If you wish to track work, develop code, and build, test, and deploy your applications, Amazon CodeCatalyst provides a streamlined getting started process and additional functionality to manage your software projects. Learn more about functionality and pricing of Amazon CodeCatalyst.

Add an IAM Role to a Project

As of December 6, 2018 PDT you can define your own roles and polices in the application stack (template.yml). To mitigate risks of privilege escalation and destructive actions, you are required to set the project-specific permissions boundary for every IAM entity you create. If you have a Lambda project with multiple functions, it is a best practice to create an IAM role for each function.

To add an IAM role to your project

  1. Edit the template.yml file for your project.

  2. In the Resources: section, add your IAM resource, using the format in the following example:

    
  SampleRole:
  Description: Sample Lambda role
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Effect: Allow
        Principal:
          Service: [lambda.amazonaws.com]
        Action: sts:AssumeRole
    ManagedPolicyArns:
      -  arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'

  3. Release your changes through the pipeline and verify success.